Re: [Driu] How to describe various flavors of DNS resolvers

Tom Pusateri <> Sat, 12 May 2018 23:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5E5761241F5 for <>; Sat, 12 May 2018 16:19:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6jRRAhPEz2rM for <>; Sat, 12 May 2018 16:19:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D69E5129C51 for <>; Sat, 12 May 2018 16:19:36 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 2E2A593A; Sat, 12 May 2018 19:18:45 -0400 (EDT)
From: Tom Pusateri <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_FF7A683F-C3D2-4847-B62C-282604F99646"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Sat, 12 May 2018 19:19:34 -0400
In-Reply-To: <>
Cc: "" <>
To: Paul Hoffman <>
References: <>
X-Mailer: Apple Mail (2.3273)
Archived-At: <>
Subject: Re: [Driu] How to describe various flavors of DNS resolvers
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "DNS Resolver Identification and Use \(DRIU\)." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 12 May 2018 23:19:42 -0000

> On May 12, 2018, at 6:30 PM, Paul Hoffman <> wrote:
> Greetings. This mailing list has many purposes, but a (hopefully easy) one is: how should DNS-over-TLS be described in protocols like DHCP? Should there be a separate DHCP option for naming DNS-over-TLS servers to the DHCP client? If not, how should clients upgrade from DNS-over-53 to DNS-over-TLS?
> And: who wants to write the Internet Draft for this?
> --Paul Hoffman

This is something Willem and I have been working on: <>

But Ted Lemon is concerned that learning about private DNS over DHCP is not much benefit because you can’t trust the DNS server you learn about.

We have been discussing this is more detail and so I wrote this threat document to try and work through it: <>

This is still a work in progress and talks are ongoing.

1. In the presence of DNSSEC, the responses can be shown to be trustworthy. In the absence of DNSSEC, there are still some benefits in my opinion.

2. I think there may be a benefit for operating system vendors  and/or dhclient vendors to have a black list / white list.
    Something similar is done today with browser vendors / operating system vendors with <>

3. Any DNS server providing DNS over TLS or DNS over HTTPS should have DNSSEC records to show they are authentic servers and TLSA records to ensure the client is talking to the actual server. Other out of band mechanisms such as SPKI pinning could be used but distributing this over DHCP is worthless because having the network provider include the information needed to check the network provider is not helpful. But even DNSSEC records for the server do not guarantee the responses that don’t have DNSSEC validation are not tampered with. SIG(0) can help. See the threat document.

4. If a well known DNS over TLS server like or is blocked, then the DHCP client is probably in a hostile environment. If it can’t verify through DNSSEC, the records it learns, it probably should disconnect. But how do we know we can trust or

I welcome more discussion and feedback.