Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Ted Lemon <> Tue, 21 August 2018 12:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 257EF130E35 for <>; Tue, 21 Aug 2018 05:49:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2lB9sBkW4maj for <>; Tue, 21 Aug 2018 05:49:14 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E7056130E44 for <>; Tue, 21 Aug 2018 05:49:13 -0700 (PDT)
Received: by with SMTP id p81-v6so3877477itp.1 for <>; Tue, 21 Aug 2018 05:49:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=n+yeJQr016Q2HC1mUXP1GgvrYJRjC+sinnYpUIOvOtU=; b=WJEFdBL3COSXHfp4xVBClW4qHbrxeOe4zJ0tFHQII/DemOM5cO83gQpUUlzRtXgpUQ g+P5ajy4LdH8Nuw2Yz05eq5V1IGObjU3jpdWkzkmO4Ugt0cUUHy8NN1yplCampXS5fBw L51KQzKR29AjfmF9/QD3hs8l5bnesmP6dGal6rjSAYMvWVAV3vr7ksLEn8LBYqTuCTnU FZMmwkCqaKlWA4W1Uaw9xc58KXQUEaX7DRRsgFsbJ+Vswaol/kJ1JcIZf2Grg+UBkmfc 2zkEv+uKMIz9lMtJrM79cptzdMx8/wM0hReMT59EmGgS+E/r9N4Ekkx8VAAGcI2LKN5e xA5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=n+yeJQr016Q2HC1mUXP1GgvrYJRjC+sinnYpUIOvOtU=; b=nteGL7fB3REJbxaqmR1M7HPwoN6CBqj/ToC43TnSQ7Ls8Od2tWOH9m1DM8Nk2zDmwQ /QyHYjWBRWwBkA0KjgxhkartYme+NUHvgccrItl4Wp9Lrsnh+sWo5H7Y20gvbh4J5/F+ iz0mvwcnzhsZfZEYtFb4t2ZN59cA1+LJv8iCp4s/C3I7kKHdva5wt520qRz4V5BrXnUC xop58rhLeo364Ozugf/3R0UHQ7U9LGz+P7ZMlPNOAD6zsaG/fRGWjSWNPWhoQVn7Dsms 7vP4alaNGcShUH23frEeZF2QRi3rf+hmS/FF2NvKbZ66pbpgUDp3r0gty/ejICg/ZzNW 1DCg==
X-Gm-Message-State: AOUpUlF6fw59caIfz6HfCToV7y+pXlPfr6qvdbxn3xBfNwaMdl3GJGVQ I4ivnk83/+VrD1yTgk1JkF0oeDoSgBDa6DwdUs2hDDV1
X-Google-Smtp-Source: ANB0VdaDx3VY2mwL0jNYSL2Kcp/GSWW+HUcNUpVxxA/0v0b8jvZdhiQd4sr1DwPkp4542RezzSoMpbibC1v1aKSR924=
X-Received: by 2002:a02:9d45:: with SMTP id m5-v6mr3668174jal.72.1534855753127; Tue, 21 Aug 2018 05:49:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:a009:0:0:0:0:0 with HTTP; Tue, 21 Aug 2018 05:48:32 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <>
From: Ted Lemon <>
Date: Tue, 21 Aug 2018 08:48:32 -0400
Message-ID: <>
To: Doug Barton <>
Cc: dnsop WG <>
Content-Type: multipart/alternative; boundary="000000000000f278d40573f173bb"
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Aug 2018 12:49:37 -0000

On Tue, Aug 21, 2018 at 12:59 AM, Doug Barton <> wrote:

> You, like Ted, are looking at the problem the wrong way 'round.

And this, in a nutshell, is why this discussion has gone on so long.   If
you just caricature what the people you're conversing with say, then it's
inevitably going to go like this:

Person A: I think that there are some issues here that we need to consider,
and that your use model is the not the only use model we need to think
Person B: You want the malware operators to take over the Internet
Person A: No, I didn't say that.   I get that your use model makes sense to
you, and we should address your use model.   I'm just saying it's not the
only use model we should address
Person B: Right, you're saying that I shouldn't be able to control what
happens on my network.
Person A: No, I'm really not saying that.   I'm saying we need to consider
other use cases as well.
Person B: So you're saying that we should also consider the use case where
you want to be able to bypass my controls and let the malware operators
control my network.
Person A: No, I'm NOT saying that.   I'm saying that there are legitimate
reasons why people might want to bypass DNS resolvers.
Person B: So you're helping the malware operators.

This is why discussions balloon in the IETF.   So now I have the choice of
either being silenced, or continuing to be Person A in this charade.   I
think I've spoken my peace.   If you want to proceed with this work, please
do not be surprised if, when the call for adoption comes, I come in and say
"I raised substantive objections to this, which were not addressed, so
please do not take this on as a working group item."