Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Paul Vixie <> Sun, 19 August 2018 05:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D145B130E27 for <>; Sat, 18 Aug 2018 22:03:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9rMUQiRlEuQO for <>; Sat, 18 Aug 2018 22:03:58 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5E06A130DFE for <>; Sat, 18 Aug 2018 22:03:58 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:1c6f:2fd8:8c7b:9a62] (unknown [IPv6:2001:559:8000:c9:1c6f:2fd8:8c7b:9a62]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 20978892C7; Sun, 19 Aug 2018 05:03:55 +0000 (UTC)
Message-ID: <>
Date: Sat, 18 Aug 2018 22:03:53 -0700
From: Paul Vixie <>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Ted Lemon <>
CC: Marek Vavruša <>, dnsop <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 19 Aug 2018 05:04:00 -0000

Ted Lemon wrote:
> Well, if that's true, Paul, then I guess DNS filter lists are totally
> unnecessary and you should stop working on that.   Maybe you already have?

see for more details on DNS Firewalls. of course, 
nominum was selling something like this ten years ago, and others have 
also developed similar capabilities in-house. this is a published spec 
so as to allow an unlimited number of subscribing defenders to choose 
from an unlimited number of publishing suppliers using one "language".

it's possible that others who have not begun to use RDNS as a perimeter 
defense do not understand why some of us can't allow every app or 
browser or user to transmit their own dns requests to outside servers. 
that is, we as network operators want to prevent some lookups from 
succeeding, in order to keep certain known-malicious activities frozen.

you may be excluding a middle in your analysis of what i've said. if a 
user or app can't get the DNS service they prefer, they should either 
use a different network, or shut off and go count mountain butterflies. 
in no event should they seek a bypass to the network operator's security 
policy. "their network, their rules."

P Vixie