Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Paul Vixie <> Tue, 21 August 2018 18:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C66D1130E9C for <>; Tue, 21 Aug 2018 11:54:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dL6bvY3s_5MM for <>; Tue, 21 Aug 2018 11:54:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F07ED130E85 for <>; Tue, 21 Aug 2018 11:54:25 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:9061:ce0d:93bf:336d] (unknown [IPv6:2001:559:8000:c9:9061:ce0d:93bf:336d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id E1467892C6; Tue, 21 Aug 2018 18:54:25 +0000 (UTC)
Message-ID: <>
Date: Tue, 21 Aug 2018 11:54:23 -0700
From: Paul Vixie <>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: David Conrad <>
CC: Vittorio Bertola <>, dnsop WG <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Aug 2018 18:54:28 -0000

David Conrad wrote:
> Vittorio,
> ...
> Perhaps I’m misunderstanding: are you saying the folks who provide
> resolution services in a DoH world would have incentive to not follow
> basic security measures?

noting that i am not vittorio, i will punch in as follows.

i do not expect CF to block resolution of its free-tier of CDN 
pseudo-customers; if they thought those folks didn't deserve DNS, they 
would probably think they didn't deserve CDN services either.

i block quite a few free-tier CF CDN pseudo-customers here, because that 
service tier is widely abused. since the addresses associated with these 
low-value pseudo-customers are shared by their paying customers, i can't 
block them at the IP layer. so i block them using DNS RPZ. (i do not 
publish this RPZ because in 1997 or so i got tired of lawsuits.)

anyhow, this is but one of many reasons why i don't want control-plane 
information injected into my network, bypassing my security perimeter. 
while CF is a special case, the general case is where my policies are 
aligned somewhat differently than the user's policies or the content 
provider's policies or the "public DoH" server operator's policies.

my network, my rules. one rule is, no bot-on-bot violence in my house.

P Vixie