Re: [DNSOP] Global DNS architecture changes, "the camel", and so on

Paul Vixie <> Mon, 20 August 2018 18:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C632F130E86 for <>; Mon, 20 Aug 2018 11:08:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DPl6woMiC543 for <>; Mon, 20 Aug 2018 11:08:35 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 88C09130E4A for <>; Mon, 20 Aug 2018 11:08:35 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:1c6f:2fd8:8c7b:9a62] (unknown [IPv6:2001:559:8000:c9:1c6f:2fd8:8c7b:9a62]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 80924892C6; Mon, 20 Aug 2018 18:08:35 +0000 (UTC)
Message-ID: <>
Date: Mon, 20 Aug 2018 11:08:34 -0700
From: Paul Vixie <>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Andrew Sullivan <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Global DNS architecture changes, "the camel", and so on
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Aug 2018 18:08:37 -0000

Andrew Sullivan wrote:
> I guess, therefore, I want to ask whether long-standing assumptions
> about the DNS are still true:
>      • Is the stub::full-service resolver::auth server model just over?


>      • Do we think resolution context needs signal?  If so, how?

yes. DTLS or DOT or DNS Cookies should be the norm, to provide session 
context, and make spoofing of responses or of request IP addresses less 

>      • Is the age of the stub coming to an end?


>      • Do we need something like "submission port for DNS", so that
>      large concentrated systems can protect themselves and still
>      provide service to important resolvers?


>      • Does TCP need to become the norm (particularly for the above use
>      case)?


>      • How can we explain these changes to others working on network
>      systems?

better documents. it's rare any more to separate concepts and facilities 
from the specification itself. that should be common.

>      • Do we have an appropriate venue to discuss these issues, on the
>      presumption that they're not really operations issues?

no. right now DNS is whatever anybody wants it to be. for example, ECS. 
there is no way to say, "this is a bad idea, and won't be standardized." 
there cannot be a way to do this, inside the ietf as it is. last time 
this was done it was by a "DNS Directorate" put together for that sole 
purpose, and it was extremely controversial -- won't scale.

P Vixie