Re: [DNSOP] my dnse vision

Evan Hunt <> Thu, 06 March 2014 17:57 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 738441A00BC for <>; Thu, 6 Mar 2014 09:57:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gZkDRCBnLmvp for <>; Thu, 6 Mar 2014 09:57:15 -0800 (PST)
Received: from ( [IPv6:2001:4f8:0:2::2b]) by (Postfix) with ESMTP id 599EB1A0040 for <>; Thu, 6 Mar 2014 09:57:15 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 298F2C941E; Thu, 6 Mar 2014 17:57:01 +0000 (UTC) (envelope-from
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=dkim2012; t=1394128631; bh=EDBhXClhaNolLtkxiMxTWIoFQ7/Apw8FyPi8+/brT2Q=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=JVTX4RB3aWR2T5g8miZdOR/y4kXejgV3cZrXeCXaGMdhEQfPkAFBa/rrixJooiPe7 h+Cnm6Hr17KFrSyn7eLy34jGHKRja1oVsqRGVvvXZpbQ2a+djoydxQM8YrJZe63ZU7 545O3/r5tbjXbILEmXwwFMO/4JYUk7ghAqgA5JOw=
Received: from ( [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "", Issuer "RapidSSL CA" (not verified)) by (Postfix) with ESMTPS; Thu, 6 Mar 2014 17:57:01 +0000 (UTC) (envelope-from
Received: by (Postfix, from userid 10292) id 19A25216C31; Thu, 6 Mar 2014 17:57:01 +0000 (UTC)
Date: Thu, 6 Mar 2014 17:57:01 +0000
From: Evan Hunt <>
To: Stephane Bortzmeyer <>
Message-ID: <>
References: <> <> <> <> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/
X-DCC--Metrics:; whitelist
Cc: Tony Finch <>,
Subject: Re: [DNSOP] my dnse vision
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Mar 2014 17:57:16 -0000

On Thu, Mar 06, 2014 at 06:39:07PM +0100, Stephane Bortzmeyer wrote:
> It's a very valid and interesting point but it has not a lot of
> relationship with the privacy issues.

I don't entirely agree: if a MITM can spoof a trusted remote resolver,
then QNAME minimization won't help you.  DNSSEC ensures that you get
legitimate answers; it doesn't ensure that the server on the other
end belongs to someone you trust to keep your queries confidential.

> I suggest that it deserves a
> separate effort, which could start with a nice I-D describing the
> problem statement/analysis (and then to proposed solutions).

I agree it would be appropriate to treat stub-to-resolver channel
security as a separate problem space.

(I will note in passing that I'm intrigued by the CGA-TSIG draft
being circulated by Mr. Raffieh.)

> Unless we want to solve all the security problems of the DNS at once,
> with the same solution?

Oh, I didn't realize it was an option. Yes, that sounds excellent,
please do that.

Evan Hunt --
Internet Systems Consortium, Inc.