Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Meeting in Montreal

Adam Roach <> Tue, 10 July 2018 15:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 314C81311AB; Tue, 10 Jul 2018 08:09:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6TQTeCGggPXs; Tue, 10 Jul 2018 08:09:47 -0700 (PDT)
Received: from ( [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7A4E1131184; Tue, 10 Jul 2018 08:09:47 -0700 (PDT)
Received: from ( []) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id w6AF9fWg085359 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 10 Jul 2018 10:09:44 -0500 (CDT) (envelope-from
X-Authentication-Warning: Host [] claimed to be
To: Paul Wouters <>, Philip Homburg <>
Cc:,, DoH WG <>, HTTP Working Group <>, Patrick McManus <>
References: <> <>
From: Adam Roach <>
Message-ID: <>
Date: Tue, 10 Jul 2018 10:09:41 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Approved-At: Tue, 10 Jul 2018 08:27:58 -0700
Subject: Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Meeting in Montreal
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "DNS Resolver Identification and Use \(DRIU\)." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 10 Jul 2018 15:09:57 -0000

[as an individual]

On 7/10/18 9:59 AM, Paul Wouters wrote:
> It seems more like an extension of the Public Suffix. Which domains can
> make claims about other domains. 

Based on the conversation that took place in DoH in Singapore, I think 
it's mostly *not* about this. The questions that have come up so far 
include: (a) If the record that is pushed to me is DNSSEC signed, is 
that sufficient to trust it? (b) If the record that is pushed to me is 
not DNS signed, but I'm using it in a context that requires TLS (e.g., 
HTTPS), and the thing that I connect to when I use the record can 
present a cert that proves its identity, is that okay?

There *might* be some useful discussion that includes applying the PSL 
to determine who can vouch for what, but I would expect this to be of 
significantly lower priority; and, given DBOUND's recent failure, I 
doubt there's useful IETF work to be done in that space, at least for 
the time being.