Re: [Driu] [Ext] How to describe various flavors of DNS resolvers

Philip Homburg <> Tue, 15 May 2018 17:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1D3F412D944 for <>; Tue, 15 May 2018 10:33:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7lkYkb0zW0lZ for <>; Tue, 15 May 2018 10:33:32 -0700 (PDT)
Received: from ( [IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 77F54126C25 for <>; Tue, 15 May 2018 10:33:29 -0700 (PDT)
Received: from (localhost [::ffff:]) by with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384) (Smail #157) id m1fIdpG-0000FGC; Tue, 15 May 2018 19:33:26 +0200
Message-Id: <>
From: Philip Homburg <>
References: <> <> <> <>
In-reply-to: Your message of "Tue, 15 May 2018 18:07:04 +0200 ." <>
Date: Tue, 15 May 2018 19:33:26 +0200
Archived-At: <>
Subject: Re: [Driu] [Ext] How to describe various flavors of DNS resolvers
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "DNS Resolver Identification and Use \(DRIU\)." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 May 2018 17:33:39 -0000

>IMHuO, preventing downgrade attacks will not work because there are likely going
>to be environments that will block DNS-over-TLS and common DOH servers (China
>comes to mind). Browsers will have to keep working for these people.

Does that mean that browsers are also going to downgrade https to http if
https is blocked?

When I made a mistake with a Strict-Transport-Security header, there was
really no way I could convince firefox to let me do http.

In any case, I would prefer my browser to complain about downgrade attacks
and possibly offer an option to allow it. Not just silently switch to an
insecure protocol.

Related to this issue: a lot of people configure resolvers like
manually. It would be nice if we can avoid input fields for TLS, HTTPS, 
port, sni, certificate, etc. Way better if that kind of stuff is auto