Re: [Driu] How to describe various flavors of DNS resolvers

Philip Homburg <> Mon, 14 May 2018 09:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6C524126E64 for <>; Mon, 14 May 2018 02:59:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dfO5W4551PfO for <>; Mon, 14 May 2018 02:59:56 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C2F5B1241F8 for <>; Mon, 14 May 2018 02:59:55 -0700 (PDT)
Received: from (localhost [::ffff:]) by with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384) (Smail #157) id m1fIAGn-0000FaC; Mon, 14 May 2018 11:59:53 +0200
Message-Id: <>
From: Philip Homburg <>
References: <> <>
In-reply-to: Your message of "Sat, 12 May 2018 19:19:34 -0400 ." <>
Date: Mon, 14 May 2018 11:59:53 +0200
Archived-At: <>
Subject: Re: [Driu] How to describe various flavors of DNS resolvers
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "DNS Resolver Identification and Use \(DRIU\)." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 May 2018 09:59:58 -0000

>    This is something Willem and I have been working on:
>    [2]
>    r/draft-tpwt-dhc-dns-discovery.txt

For IPv6 it is unfortunately also necessary to consider router advertisements.
It might be worth trying to align the DHCPv6 options and any RA options 
such that they use as much as possible the same conceptual model.

>    But Ted Lemon is concerned that learning about private DNS over
>    DHCP is not much benefit because you cant trust the DNS server
>    you learn about.

>    3. Any DNS server providing DNS over TLS or DNS over HTTPS should
>    have DNSSEC records to show they are authentic servers and TLSA
>    records to ensure the client is talking to the actual server.

I wonder if, even just as strawman, we should document how to signal DNS over
TLS and DNS over HTTPS just using DNS, i.e.
- DANE in the reverse zone can signal TLS or HTTPS
- the PTR can be used as ADN
- SRV records can be used to specify ports as well as ADNs and also signal
  DNS over TLS or HTTPS.

The advantage is that no new wire representations have to be introduced. 
The disavantage it that it only works if the operator of the resolver has
control over reverse DNS.

Note that for IPv6, it may take a long time before router vendors support
the required changes to router advertisements and some client device vendors
seem to have strong objections against the use of DHCPv6.