Re: [DNSOP] Draft for dynamic discovery of secure resolvers

"John Levine" <> Tue, 21 August 2018 03:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4FE16130DE7 for <>; Mon, 20 Aug 2018 20:47:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DO_jO26cYX1e for <>; Mon, 20 Aug 2018 20:47:47 -0700 (PDT)
Received: from ( [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 542C4130DCF for <>; Mon, 20 Aug 2018 20:47:47 -0700 (PDT)
Received: (qmail 9176 invoked from network); 21 Aug 2018 03:47:45 -0000
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 21 Aug 2018 03:47:45 -0000
Received: by ary.qy (Postfix, from userid 501) id A572B2003B945D; Mon, 20 Aug 2018 23:47:45 -0400 (EDT)
Date: Mon, 20 Aug 2018 23:47:45 -0400
Message-Id: <20180821034745.A572B2003B945D@ary.qy>
From: John Levine <>
In-Reply-To: <>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Aug 2018 03:47:49 -0000

In article <> you write:
>if you write down trust assumptions you'll be enumerating disjoint sets 
>of same as actually practiced by different users and different operators 
>whose reasons should be treated as valid rather than challenged.

We seem to have one group who see their network operator as a hostile
entity that uses the DNS to censor content and probably stuffs ads
instead of NXDOMAIN.

The other group sees the network operator as a major line of defense
against malware, phishes, and all of the other evil stuff on the
Internet, making it harder for the naive and wilfully clueless to
hurt themselves.*

The two aren't mutually exclusive but it is my impression that unless
you live a country toward the repressive end of the spectrum, your
network is likely to do more of the latter than the former, and if you
are in repression land, they probably have a firewall that will keep
DoH from doing what the first group believes it will.


* - When I talk to security people at mail providers, they have
endless tales of people who take the mail out of their spam folder and
click on the links, you know, just in case it was filtered wrong.  If
you know it's bad stuff, you don't want the users to see it at all.