Re: [Resolverless-dns] Paper on Resolver-less DNS

Ted Lemon <> Thu, 22 August 2019 02:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 330E2120048 for <>; Wed, 21 Aug 2019 19:39:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZTGhMLOIuX8o for <>; Wed, 21 Aug 2019 19:39:40 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 46391120019 for <>; Wed, 21 Aug 2019 19:39:40 -0700 (PDT)
Received: by with SMTP id 125so3809279qkl.6 for <>; Wed, 21 Aug 2019 19:39:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=l16/xkLDFQHh3V+XQQCf5SKESDhznhiXa8pydiIGLsg=; b=obf7GhVXTPXphwJgxSq8DOYqMKNXB9+rFoW83R0ZjbZq1cQhct5GFPFpXoqh7gdmvi T1l7U0dLh4jloMQJn5Gep+CppCO6z9dt0Dsf919yD1SQC+aPlatb+2sMOk9KJkiU9Vnd jRjk3fawywoJegCNK9r9lMmKit8LhVO1g88hc8b4/FVx2EWLUap9atgVEBAUSQvZ6EbG I39r49JZvxOMJz6mAiCYZK6xVymw+UEmvPa145vhj8zxVQGazI0MsavC9kDAY2pwtsmd ZGOsSaulnH+ZPTxA2R7Lol9p/zHXlsPW3wumvigFFLMjCF49FPhCANFBn7ZxzWEXI6zX 3fLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=l16/xkLDFQHh3V+XQQCf5SKESDhznhiXa8pydiIGLsg=; b=hKZ9ICUCd+iDZx6XOZUjNnL5YWwrLD/SKCsCDOE2F81fgh0iVWZq7i02lGNyWVGLJP V1RI+cR122/7iIPoecRGs31CYe+7eKXnexzat4KIl91BDvPoYZNHZ2A+dusxxmtz8fNw gCcama639+KMiCDG0uGFVP/u19re1zBetWxvLSLgr//fHrrhx1IThK0Sj5HCKbq5vMmX WrQ2GWfmjf7eGrdK8Inw5rwcISdFOLrcT462n2qBRqc71d74ouDvlHXzKTvdiObNLD16 rqhdolHaF8Gei1keWXen2LrI4pW+u1zH2OBpbO3XMdI150hgAWctRzx29Ev0/5nPMp6W hUBg==
X-Gm-Message-State: APjAAAVJIYs7snWc41CpnJ704sIK+45kFq1ZwIKDqSlgrmzMV0EeQ7f/ UNROfV2xtSQASvclR5bozAbtzpqyGO66mg==
X-Google-Smtp-Source: APXvYqx9ZcOoS5JS+OLz6DJc9lWbDoOHUEyStCKALd/OIbjk1eLonEigovWTY0yKidR4rXzFiJt/Mg==
X-Received: by 2002:ae9:edc1:: with SMTP id c184mr32961071qkg.418.1566441579024; Wed, 21 Aug 2019 19:39:39 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id h2sm10698485qto.81.2019. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 21 Aug 2019 19:39:38 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Ted Lemon <>
Mime-Version: 1.0 (1.0)
Date: Wed, 21 Aug 2019 22:39:37 -0400
Message-Id: <>
References: <1781914.51cSh5WzdD@linux-9daj>
In-Reply-To: <1781914.51cSh5WzdD@linux-9daj>
To: Paul Vixie <>
X-Mailer: iPhone Mail (17A573)
Archived-At: <>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Aug 2019 02:39:42 -0000

So, for your use case it would be good if there were a way for authorized devices to know that they are connected to your network and use your resolvers, and a way to quarantine devices that have not been configured that way. Or you could just have always use your resolver if they are willing. 

Sent from my iPhone

> On Aug 21, 2019, at 21:47, Paul Vixie <> wrote:
> On Thursday, 22 August 2019 01:21:40 UTC Ted Lemon wrote:
>>> On Aug 21, 2019, at 9:08 PM, Paul Vixie <> wrote:
>>> my experience with HSTS is that dotted-quad links are nearly impossible to
>>> use from an HTTPS web object, since they point either to an HTTP web
>>> object (which is a downgrade) or do an HTTPS object whose SNI is a dotted
>>> quad (which is hard to get a certificate for.)
>> Thanks, that’s a good point.   So to describe what is going on here, what
>> you are saying is that the browser provides no avenue of endpoint
>> identification and authorization other than DNS?
> i don't know that part. i do know i stop a lot of crud with DNS RPZ, for 
> myself and my customers, and that if web browsers stop asking DNS questions, 
> the defense methods i'm using and recommending will work less often.
> -- 
> Paul