Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Paul Vixie <> Wed, 22 August 2018 18:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5306A130E04 for <>; Wed, 22 Aug 2018 11:24:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VwtlZbVNqxcQ for <>; Wed, 22 Aug 2018 11:24:14 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F1FE3128B14 for <>; Wed, 22 Aug 2018 11:24:13 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:9061:ce0d:93bf:336d] (unknown [IPv6:2001:559:8000:c9:9061:ce0d:93bf:336d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id B2198892C6; Wed, 22 Aug 2018 18:24:11 +0000 (UTC)
Message-ID: <>
Date: Wed, 22 Aug 2018 11:24:07 -0700
From: Paul Vixie <>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Ted Lemon <>
CC: Vittorio Bertola <>, dnsop WG <>, David Conrad <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Aug 2018 18:24:16 -0000

Ted Lemon wrote:
> Again, to repeat myself once more, one more time, I am asking that we
> actually decide what to recommend, and not just say "we all already all
> know what the right behavior is."   If we all agreed on what the correct
> behavior was, we wouldn't be having this discussion.   Maybe if we tried
> to describe what we all think the correct behavior was, we would realize
> that we do agree on it, but we haven't done that yet.   And the possible
> set of all behaviors is more complicated than you suggest.

with regard to dhcp, if the dhc wg is freezing new features pending 
authentication capabilities which are not forthcoming, then dhcp is off 
the table for DoT discovery.

in that case, the purported android approach of "use DoT if it works" 
may be the only way forward. this means when current unauthenticated 
dhcp tells you what your rdns servers are, you'll try each of them with 
TCP/853 and use that if it works, else fall back to whatever you did 
before, which is probably UDP/53 falling back to TCP/53.

P Vixie