Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Doug Barton <> Sun, 19 August 2018 17:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6FE76130E4D for <>; Sun, 19 Aug 2018 10:02:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NBBZQti1Udru for <>; Sun, 19 Aug 2018 10:02:17 -0700 (PDT)
Received: from ( [IPv6:2607:f2f8:ab14::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1E853130E43 for <>; Sun, 19 Aug 2018 10:02:17 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id B248B79C for <>; Sun, 19 Aug 2018 10:02:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=dkim; t=1534698136; bh=CYP9+tVXRTrFczWOjyAygAH+y+Iy3iwUufydbspFKAo=; h=From:Subject:To:References:Date:In-Reply-To:From; b=QnUZ97kDkpevCs2Xt93RflUQBPvhyJ0wPJLT2C0uOCYK0TQFObgrikA0urZfmzRDX IluC/Py4TO6DBcmFYbTZ0QvzLW319ZC1/Dxwj8Ncp7b9cD75fwQSjf3wRa86LsByCz dyi/2D+l75Ci/FdHxzShDASDXHvY55aORfg2EbhU=
From: Doug Barton <>
References: <> <> <> <> <> <> <> <>
Message-ID: <>
Date: Sun, 19 Aug 2018 10:02:15 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 19 Aug 2018 17:02:19 -0000

On 08/19/2018 06:18 AM, Livingood, Jason wrote:
> So I suppose that the threat model in this example is presumably someone (1) eavesdropping on the relatively short path between CMTS and resolver or (2) modifying non-DNSSEC-validated responses - and that's does not seem like a very high risk threat IMO, given all the other potential and real threats lurking around on the Internet.

Personally I see securing the path from the stub to the resolver as a 
good step in the ultimate goal of encrypting all of the things. :) I'd 
like to see the traffic from the resolver to the authorities encrypted 
as well, along with all the other traffic on the Internet.

In years past people like me who pushed "encrypt, encrypt, encrypt!" 
were seen as kooks, but we now know beyond a shadow of a doubt that 
there are a legion of organizations, both public and private sector, 
that are collecting every piece of data about every person that they 
can. We also know that their reach is way farther than was imagined, and 
it's probably actually farther than what we know now.

So the question isn't, "Why encrypt?" the question is, why on earth 
wouldn't you want to?

And Jason, you missed a threat model, which is users who want to bypass 
their ISP's resolver.

I agree that encrypting from the CMTS to the local resolver isn't that 
valuable, since (unless I'm missing something) the ISP is the only one 
that can see that traffic, and they'll be able to log/manipulate the 
resolver already. So it's unlikely that an ISP would deploy DOH or DOT 
in the first place, so the idea of a DHCP option to support it isn't 
necessarily relevant in that environment. That doesn't mean it's not 
relevant elsewhere.