Re: [DNSOP] Draft for dynamic discovery of secure resolvers

bert hubert <bert.hubert@powerdns.com> Sat, 18 August 2018 23:21 UTC

Return-Path: <bert@hubertnet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76C88130F28 for <dnsop@ietfa.amsl.com>; Sat, 18 Aug 2018 16:21:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lKMd9k-KeeJc for <dnsop@ietfa.amsl.com>; Sat, 18 Aug 2018 16:21:27 -0700 (PDT)
Received: from xs.powerdns.com (xs.powerdns.com [82.94.213.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDD5E130DCD for <dnsop@ietf.org>; Sat, 18 Aug 2018 16:21:27 -0700 (PDT)
Received: from server.ds9a.nl (unknown [86.82.68.237]) by xs.powerdns.com (Postfix) with ESMTPS id B44179FB55; Sat, 18 Aug 2018 23:21:06 +0000 (UTC)
Received: by server.ds9a.nl (Postfix, from userid 1000) id 6F7B0AC6AEA; Sun, 19 Aug 2018 01:21:06 +0200 (CEST)
Date: Sun, 19 Aug 2018 01:21:06 +0200
From: bert hubert <bert.hubert@powerdns.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Paul Vixie <paul@redbarn.org>, dnsop <dnsop@ietf.org>, Marek =?utf-8?Q?Vavru=C5=A1a?= <mvavrusa=40cloudflare.com@dmarc.ietf.org>
Message-ID: <20180818232106.GB32131@server.ds9a.nl>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <CAPt1N1=-792WkQmbTigPdqOh0dONykYycG0hheOecoQa4ai=Hw@mail.gmail.com> <5B7893C9.7000703@redbarn.org> <CAPt1N1nj=g0nOsgHNvCosBg2va9pj228hKArpsukAzQ3jtX-gw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAPt1N1nj=g0nOsgHNvCosBg2va9pj228hKArpsukAzQ3jtX-gw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VzqHmdAy9O-E2B8qA3c7FlwBBWE>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Aug 2018 23:21:29 -0000

On Sat, Aug 18, 2018 at 07:12:57PM -0400, Ted Lemon wrote:
> How will you block it?

So just to make this a bit more colorful, DoH allows servers to push
unsollicited DNS responses, which the browser is then free to put in its DNS
cache.

This allows the DoH endpoint to hop around at will, or even have a whole
stash of IP addresses ready as alternates.

	Bert