Re: [DNSOP] my dnse vision

Jelte Jansen <> Thu, 06 March 2014 15:36 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id EBD181A00BC for <>; Thu, 6 Mar 2014 07:36:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.453
X-Spam-Status: No, score=-2.453 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_I_LETTER=-2, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ifW9HCwgaciU for <>; Thu, 6 Mar 2014 07:36:02 -0800 (PST)
Received: from ( [IPv6:2a00:d78:0:147:94:198:152:69]) by (Postfix) with ESMTP id 4A2FD1A0051 for <>; Thu, 6 Mar 2014 07:35:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt;; s=sidn_nl; c=relaxed/relaxed; h=message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding:x-originating-ip; bh=o316GqYmaGJYXY8o6ySwu7kgoYfiyZD44P/E1aNbdHE=; b=plhimsIgprkPMDUeomUK03wV5VfkQm97dVlzWGr1RmAYdnPkTkvp5vmTc3x8DJ1qO08wQfvb+Zxlbfe3UXN5U6p9NXuIORW9NiL2xn/FlS1TXt3FMBfl1EwuWfuTSmMukXM3AOTHSx0RdX3t6zCPs6a/VFIIZZHE1t+tzrbqC1w=
Received: from kahubcasn02.SIDN.local ([]) by with ESMTP id s26FZkLx018463-s26FZkM1018463 (version=TLSv1.0 cipher=AES128-SHA bits=128 verify=CAFAIL); Thu, 6 Mar 2014 16:35:46 +0100
Received: from [] ( by kahubcasn02.SIDN.local ( with Microsoft SMTP Server (TLS) id; Thu, 6 Mar 2014 16:35:45 +0100
Message-ID: <>
Date: Thu, 6 Mar 2014 15:35:43 +0000
From: Jelte Jansen <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10
MIME-Version: 1.0
To: Stephane Bortzmeyer <>
References: <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Originating-IP: []
Cc:, Hosnieh Rafiee <>
Subject: Re: [DNSOP] my dnse vision
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Mar 2014 15:36:05 -0000

On 03/06/2014 02:39 PM, Stephane Bortzmeyer wrote:
>> all the more reasons for ISPs to try and force you to use theirs
>> (perhaps even after some friendly coercion from the nearest
>> three-letter agency (four in the netherlands as well)). In which
>> case we'd need even better channel encryption, to the point where
>> you can't tell it's DNS, so it can be tunneled out of the network
> If we follow this line of reasoning, why do we deploy more security,
> then? With this argument, we would never have deployed HTTPS
> either. (Or SSH: most hotspots and many ISP block SSH.)

And lo and behold, you do see forced breakage of SSL, and 'friendly'
MITM attacks forced on people.

But I'm not saying we shouldn't do anything. I'm saying that I'm worried
that if we blindly splat some channel encryption on, we may actually
lower security for a number of people, in which case we need to go even
further and hide the fact that DNS data is being sent in the first
place. Now this may very well have been solved (VPN/SSL tunneling, one
of the existing specific-to-dns channel solutions), but in that case we
should probably be explicit about it.

But really I was working up to my next message, that was a +1 on
splitting up the various problems, and fix (or not fix) those
separately. That might even include not trusting your resolver in the
first place.

> We promised in Vancouver to seriously strengthen the Internet against
> surveillance. Was it an empty promise, politician-style?

I think we are all trying to do exactly that.

Or, to be a bit more precise and/or cynical: Of course it was, but we
are trying to do it anyway.