Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Doug Barton <> Wed, 22 August 2018 03:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EBB0F130DE2 for <>; Tue, 21 Aug 2018 20:03:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HnGNqaSngDD6 for <>; Tue, 21 Aug 2018 20:03:38 -0700 (PDT)
Received: from ( [IPv6:2607:f2f8:ab14::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2E3071277D2 for <>; Tue, 21 Aug 2018 20:03:38 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id A19CE79C for <>; Tue, 21 Aug 2018 20:03:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=dkim; t=1534907017; bh=ta+ZeQcgXy+ER9izlCgbVrbYJSMlcUTfUcASUYmJy0o=; h=Subject:To:References:From:Date:In-Reply-To:From; b=eWDW2QI9L9U8oumNumC27FRZfU3niu6YQtPvOw2DE1J7dDnWyn2GMRManMfsMUA/W oLX4n3MTv/AmIZcWF98g8LIjGj/kHY5oiZURPYS3373Cvn2fansX2jxO5J2O0ssVM2 YryWQQqMmKKaxgPqyHWBU6Q9qIqxoSMvqZJVAq90=
References: <> <> <> <> <> <>
From: Doug Barton <>
Message-ID: <>
Date: Tue, 21 Aug 2018 20:03:36 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Aug 2018 03:03:40 -0000

On 08/21/2018 05:48 AM, Ted Lemon wrote:
> On Tue, Aug 21, 2018 at 12:59 AM, Doug Barton < 
> <>> wrote:
>     You, like Ted, are looking at the problem the wrong way 'round.
> And this, in a nutshell, is why this discussion has gone on so long.  
>   If you just caricature what the people you're conversing with say, 
> then it's inevitably going to go like this:

[ Snipped a bunch of arguments I didn't make ]

> This is why discussions balloon in the IETF.   So now I have the choice 
> of either being silenced, or continuing to be Person A in this charade.  
>   I think I've spoken my peace.   If you want to proceed with this work, 
> please do not be surprised if, when the call for adoption comes, I come 
> in and say "I raised substantive objections to this, which were not 
> addressed, so please do not take this on as a working group item."


While I'm not concerned about the issues you raised in your caricature, 
I feel that I have tried to engage you in your discussion of different 
security models. My understanding is that your models devolve down to 
two. Either the user configures a resolver themselves (whether it's 
DOH/DOT or not), and user doesn't configure a resolver themselves. I 
recognize the distinction you made between your models 1 and 3, and 
further recognize that it's extremely important to some people. My point 
is that *from the standpoint of a DHCP option for DOH/DOT* it's not 

 From our discussion, it seems that you're in agreement with me that if 
a user isn't configuring a resolver explicitly that they are no worse 
off with DOH/DOT than they are without it. Am I right so far?

Meanwhile, you've also voiced an opinion that the presence of a DHCP 
option implies some sort of endorsement by the IETF. I (and others) 
replied that we've never heard of this, and disagree strongly with your 

So other than the fact that we disagree on the endorsement issue, what 
am I missing here?