Re: [DNSOP] Draft for dynamic discovery of secure resolvers

David Conrad <drc@virtualized.org> Tue, 21 August 2018 17:36 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8131B130DF0 for <dnsop@ietfa.amsl.com>; Tue, 21 Aug 2018 10:36:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RpQTt4Eqb1UW for <dnsop@ietfa.amsl.com>; Tue, 21 Aug 2018 10:36:51 -0700 (PDT)
Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A36A9130E4A for <dnsop@ietf.org>; Tue, 21 Aug 2018 10:36:51 -0700 (PDT)
Received: by mail-pg1-x52f.google.com with SMTP id y4-v6so8767720pgp.9 for <dnsop@ietf.org>; Tue, 21 Aug 2018 10:36:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=fGfCMKmVnKia6bMaP5P8eorkxPcBB8T3GVzdyUBVpIU=; b=bCVIwG1UNzkZhE19jxNsVlfwND1OAnKDIVwNIVTT646gAsb6GDLvyQeBlh9oARncWd utn+tzOj2jypL1oAgmKrZ6YI0eT9zvIh0YuLuADlQP4vfxoXDHCI6h78jlpAt+4vjBOa I9uvNq8Ktdbf7pHVFajQmE6RUXYggjgboszqdBVJIpSyHZPYQWQb6TxfR8z6+DbTyPXQ 8nNEgJLP3uc4yDZV032etaf53+zMlqgouw+wf7zxwhwXKc/346XVkUQ5aF2Oxn905n4s 1OGVOdzLqUmroIkVFj5py8lJXHVDnmnhmSS30ZUqnMrgr+hX9Wzqs6FVP0ZkIUkLumvU 4AJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=fGfCMKmVnKia6bMaP5P8eorkxPcBB8T3GVzdyUBVpIU=; b=Pvu3pfFX5cACieHBd4CXim5Vp9GvBd/nS/H33J1LislyIhZDGk1INcyOhB3o49VIyQ srwXI/mWaNaza7cW513OHnyj0HTwgOXCNBTmZvtF2558jeEdIGFJaXt+nnBl+rhOKVFn eW2FWqoeVy6lcWUa1B0FgpU35HLeb0uEYtAkICp83+Q2waCaVLGCingVsxhKH3FvroQe Y9VUyZdWDGYvNR+CHkEmTMwz141YtZeNJtXQyrNEnvb45bHWo6iekISU3/tipY8D4W9D J8exfnZvXTonxzD3jju9s3TCumC/OWz7pz0BvhOFvA017o/KzGtvDIL0FCMdoWQ/BUL0 /rOg==
X-Gm-Message-State: AOUpUlFSIFWICDjf/BgZbzaVenO55iZjzO3P3ws7h+DfVR7nC6c5Boz3 yOTD9mbSocThy4WNfYJXtST6zSGc5v8=
X-Google-Smtp-Source: AA+uWPxsSWjwRT6jvFHFJ4QzDAyOAYxTZyWzfE0v/tJODDoIVEHUM5qZ1QZ5saO4h+d5Kf5SEJ4dVQ==
X-Received: by 2002:a63:dc53:: with SMTP id f19-v6mr48203640pgj.56.1534873011257; Tue, 21 Aug 2018 10:36:51 -0700 (PDT)
Received: from [10.96.20.140] (35-1.lax.icann.org. [192.0.35.1]) by smtp.gmail.com with ESMTPSA id z19-v6sm19978316pgi.33.2018.08.21.10.36.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Aug 2018 10:36:50 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Content-Type: multipart/alternative; boundary="Apple-Mail=_AD81975C-D5CF-460F-9FD3-E216B94C37DC"
From: David Conrad <drc@virtualized.org>
X-Priority: 3
In-Reply-To: <471139805.18285.1534847636363@appsuite.open-xchange.com>
Date: Tue, 21 Aug 2018 10:36:46 -0700
Cc: dnsop WG <dnsop@ietf.org>
X-Mailbutler-Message-Id: 25369A4C-D3C9-4285-A3F6-6A82BA9D36F6
Message-Id: <FBE862C5-6999-4D2F-A877-4ACDF1F5FBF1@virtualized.org>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <CAPt1N1=-792WkQmbTigPdqOh0dONykYycG0hheOecoQa4ai=Hw@mail.gmail.com> <CAC=TB11tG4o0dkavXGb20=DGBCrmVoRP60bpzsvq5=Q0zFjhDg@mail.gmail.com> <CAPt1N1kj7Y0dPLeDk=PMqQEpAd-Mvds6VLT8XUC1BYOfdyUbJA@mail.gmail.com> <CAC=TB125M81nwiCTNr8Vbee+Z7Fh_3L+6EdZ8evXVzP-2ji4fg@mail.gmail.com> <CAPt1N1n9hDUZQ-Ltvs73T20=fpG-FR_j-t4m0kMapDiv2Us1kw@mail.gmail.com> <5B78BFB9.40103@redbarn.org> <47508D79-0D49-4F31-9BA6-6DC80C38F1DE@cable.comcast.com> <ad1f6dff-ebcc-97a9-6f4b-1ed683827cc7@dougbarton.us> <1313743534.13562.1534765718802@appsuite.open-xchange.com> <9AFE57A7-1D27-4F86-9013-E3C63E63C582@hopcount.ca> <5B7AE322.3020201@redbarn.org> <CAPt1N1m-Xd-7rvgmk8GOsx34=1hsu76nmTgW-8krC3JF7i57KQ@mail.gmail.com> <265867956.15518.1534783313366@appsuite.open-xchange.com> <CAPt1N1myrdOywur35rXRab2QCrhFiJ0vS4wnT_Pof0epdOPz7A@mail.gmail.com> <471139805.18285.1534847636363@appsuite.open-xchange.com>
To: Vittorio Bertola <vittorio.bertola@open-xchange.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_EavLuGGpppE7xMGC1OxkPT7u98>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 17:36:55 -0000

Vittorio,

On Aug 21, 2018, at 3:33 AM, Vittorio Bertola <vittorio.bertola@open-xchange.com> wrote:
> If so, I can accept your use case: a smart user, knowing what he is doing, does not want anyone else to sanitize his queries for him. But I don't see why the best solution to your use case - which is quite a minority case, though easily overrepresented in a technical environment - is to build a sort of "nuclear bomb" protocol that, if widely adopted, will destroy most of the existing practices in the DNS "ecosystem" (I'm using the word that was being used at ICANN's DNS Symposium in Montreal), including the basic security measures that protect the 99.9% of the users who are not technically smart. 

Perhaps I’m misunderstanding: are you saying the folks who provide resolution services in a DoH world would have incentive to not follow basic security measures?

Regards,
-drc