Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Craig Finseth <> Sun, 19 August 2018 17:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 888AD130E87 for <>; Sun, 19 Aug 2018 10:20:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dyrpLFzVJdRW for <>; Sun, 19 Aug 2018 10:20:56 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 09B24130E55 for <>; Sun, 19 Aug 2018 10:20:56 -0700 (PDT)
Received: by with SMTP id v71-v6so17686851itb.3 for <>; Sun, 19 Aug 2018 10:20:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=pPlwboE5hH1Dp3RRTVJOvlBjmJQjivUrceo7b0Sq7JI=; b=tqRpHNlLUflsfFrro9Ina8t89wpt56rhJBA8PEk41BmvDTdBAaAOuJlPSXEDjjHsOO 0fVuBpPt5YfNovmkDT9SVAHReat6lVOPbigKANHGiYAH834dYCqPV3Uguq+dVEDYlFaw udrK/SBu8s/sNQ/qoKjfyVHpatQiyxI4tZo1UrNqKboqTEyKkg0FBg1CBDGXx4Q4ca7l AllTFwg2EqltRUiaSUFPsAONwO4Ayam2SQgNzp2oCho029HQMpDqh6Hk+XS5xVIw98Xh 0HfRyTTpJMCIo+9IIefr/Uu5xv0hmkXAL2IRiZWJhLwU/Jwt7OwcCXogRh0ucPBOFsaL f6wQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=pPlwboE5hH1Dp3RRTVJOvlBjmJQjivUrceo7b0Sq7JI=; b=ipbFyUckBMzXOrbwbjWmB9Yk8/AWK8Kcqa3kYp424QmtGAPei8f1mrBU79+dnoLq21 KrRkLa5SZHFLmk0GUbhUV/MiHPv52mTkzltJE7/lviIXW/t/l1Bl8WHr7rb8O3iRsGsm UHGlyKBb8/sH1/UzmYDdfCfSYXUHTg5TTRLrIDSXoV84CVmgc6XqLqcplTs4PpTODUYX A4fpD4ON+GP0y/DSOBPWaDASzG3DWKg31Iur49rbA8C8xoDmIn08VlMYWbuobtA0mMb6 et052wZgU0FmvGmU3F2bsQ0xeqTpHkmxm/ojIxGf2E8Q8db03zEO5/uQWjb1G995z0ek DvOw==
X-Gm-Message-State: APzg51BRxs9dIN57T4H9YXh715fd0tRENPWEgD7Zo8j2Glgls3HoYk1S XhBJvN362tmDIpWqbgAcpHsQy+o=
X-Google-Smtp-Source: AA+uWPzqD5wyLOxj6gZmKAKDaylKuYT7aeyrSpiTapqF6aUKYFDL+m0mwHX3mYAKcW3Tk4OF3hCE4g==
X-Received: by 2002:a24:9287:: with SMTP id l129-v6mr11271859itd.128.1534699255098; Sun, 19 Aug 2018 10:20:55 -0700 (PDT)
Received: from ?IPv6:2607:fb90:9973:1eff:4046:21a:bb2a:d3ec? ([2607:fb90:9973:1eff:4046:21a:bb2a:d3ec]) by with ESMTPSA id r17-v6sm2608201ioh.27.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 19 Aug 2018 10:20:54 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Craig Finseth <>
X-Mailer: iPhone Mail (15G77)
In-Reply-To: <>
Date: Sun, 19 Aug 2018 12:20:53 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <>
To: Doug Barton <>
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 19 Aug 2018 17:20:58 -0000

Or, you have malware trying to bypass DNS checks.

Craig Finseth 

> On Aug 19, 2018, at 11:43, Doug Barton <> wrote:
>> On 08/18/2018 06:08 PM, Ted Lemon wrote:
>> The thing is that most devices don't connect to just one network.   So while your devices on your network can certainly trust port 853 on your network, when they roam to other networks, they have no reason to trust it.   If you have devices that never roam to other networks, that's fine, but we have to design for the more general case.   There's no way with DHCP for the device to tell that it's connected to a particular network, other than matching IP addresses, which isn't a great idea.
> Ted,
> I'd like to turn your question back to you. What threat model are you protecting the user from by not allowing a DHCP option to use a DOH or DOT server?
> It seems to me that in the overwhelming majority of cases (near 100%) the user is going to get their local resolver from the DHCP server, whether they are on a trusted network (like work or home), or roaming at Eve's Coffee Shop.
> So either you have a sophisticated user who has preconfigured their own resolver and ignores the DHCP setting, or you have the typical user who doesn't understand how any of this stuff works, and therefore has implicit "trust" regarding the local network and the settings from the DHCP server.
> Given that (and feel free to tell me if I've missed something), what harm can come to the user if the resolver that they are already trusting can also be accessed over DOH or DOT?
> Doug
> _______________________________________________
> DNSOP mailing list