Re: [Resolverless-dns] Paper on Resolver-less DNS

Joe Abley <> Thu, 15 August 2019 22:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6102E1200C7 for <>; Thu, 15 Aug 2019 15:11:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id T1WT9LgJLa-m for <>; Thu, 15 Aug 2019 15:11:06 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E96C41200E7 for <>; Thu, 15 Aug 2019 15:11:05 -0700 (PDT)
Received: by with SMTP id j5so2340005ioj.8 for <>; Thu, 15 Aug 2019 15:11:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=O2kMbcatKz4ZYBR0qFSdxus4mGHU3e1CNqJ8JvuGYtY=; b=Hzw91mhp+4pgWIv95ft/CXLORK8/dk/ypXgmRFMoO9wwXPnzLMWIp8cZvgow0UmO0O y65eEYlBS36Z92hfG2552yYwHlsSDu81dpe5F99/66ulf9KF/avrsoE6MSLbQKPIt9DL XQ0SiYOxv75PnCAj0eWMdPOlwY4eegZgEToXE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=O2kMbcatKz4ZYBR0qFSdxus4mGHU3e1CNqJ8JvuGYtY=; b=Vr3FurA3gPT3LRlPtgFYgIM8fYdTQTnfAlpkKjXP02870Q2Sw5E7+Hf7Goe5kw/XPR TCjzAnEnPooJdGDgcfwslSk4GWGJ31tKOpLLmu3wVLD+zwJQo9lcGQ/K2k3C8ZxcJZk/ B0u/wbz/cmH1DgqjRPDGDFH+wlUZk80mJqF4Pv80LI0Iydbl1Sqp3jiVAq8DgT9XbAlf tS/loL1cbS1/FTrwQkn0pveCeHPLemVd+V4yi4kOlAD0p/UPNFaj3KgFNcyUmIcsZtSe lAuHu29JhHcK46FKdAtFBSmq2m0S4y5Xy/fdFwgPN+AQeXvcnRgEBEc2RLq6QYuwuTrm 6znQ==
X-Gm-Message-State: APjAAAVrez3xlRbx+ve1OAxo4BV03F3Z1wcmHy2lmo/V9tnEnT6ESbfg qvhSAmFgAaENYcYm6ioJS7dGMQ==
X-Google-Smtp-Source: APXvYqzlE7QRigtKUACVADWyxwgAMzXaCpcaIOTKXFSSmK7fvmkFWpgx6rL+rHGopjMylvgyPVYwwA==
X-Received: by 2002:a02:a11e:: with SMTP id f30mr7705468jag.0.1565907064927; Thu, 15 Aug 2019 15:11:04 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id m10sm3503310ioj.75.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Aug 2019 15:11:03 -0700 (PDT)
From: Joe Abley <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_CD796B7C-AD9B-42C3-BE79-473DDB00D7CE"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 15 Aug 2019 18:11:02 -0400
In-Reply-To: <>
Cc: Eric Orth <>, Ben Schwartz <>,, John Levine <>
To: Fred Baker <>
References: <> <>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 15 Aug 2019 22:11:08 -0000

On 15 Aug 2019, at 18:01, Fred Baker <> wrote:

> One thing I would want to be certain of is that the host did DNSSEC validation. It’s the only way I know of to verify the validity of the RR.

In the case of a client doing resolverless DNS with a server, presumably it has already

 - looked up the name using a resolver
 - established a TCP connection
 - completed a TLS handshake with some degree of certificate validation
 - potentially supplied acceptable credentials for HTTP authentication, if the server needs them

before it is in a position to do name resolution within the resulting HTTPS bundle. What is the reasoning to require that additional precautions be taken at this point, compared to the conventional behaviour where the client continues to get fake results from the cache of the poisoned resolver?

I agree the DNSSEC validation at the client would be nice to see, but I think that's a more general statement than one that is specific to this case.