Re: [DNSOP] NSA says don't use public DNS or DoH servers

Vladimír Čunát <> Fri, 22 January 2021 08:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C982C3A1105 for <>; Fri, 22 Jan 2021 00:30:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.162
X-Spam-Status: No, score=-2.162 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.262, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qeKT_AENRfXa for <>; Fri, 22 Jan 2021 00:30:34 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 154E63A104C for <>; Fri, 22 Jan 2021 00:30:33 -0800 (PST)
Received: from [IPv6:2a02:768:2d1c:226::a2e] (unknown [IPv6:2a02:768:2d1c:226::a2e]) by (Postfix) with ESMTPSA id 9DFE6142133 for <>; Fri, 22 Jan 2021 09:30:30 +0100 (CET)
References: <> <>
From: Vladimír Čunát <>
Message-ID: <>
Date: Fri, 22 Jan 2021 09:30:30 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.102.2 at mail
X-Virus-Status: Clean
Archived-At: <>
Subject: Re: [DNSOP] NSA says don't use public DNS or DoH servers
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Jan 2021 08:30:36 -0000

On 1/22/21 3:10 AM, Tom Pusateri wrote:
> Would it be ok to allow DNSSEC signed responses from any server? If they’re signed and verified, does it matter how you got them?

Another missing part is privacy, i.e. even if you get exactly the same 
answers, it doesn't imply you get similar (privacy) properties.

By the way, the add WG is now trying hard to define what it means for 
two resolver services to be "equivalent" - at least for the purpose of 
being OK to switch among them without user's consent.