Re: [Resolverless-dns] Paper on Resolver-less DNS

Paul Vixie <> Fri, 16 August 2019 21:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 347DC120071 for <>; Fri, 16 Aug 2019 14:45:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jBCQh8fGDw43 for <>; Fri, 16 Aug 2019 14:45:09 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3FC2B120018 for <>; Fri, 16 Aug 2019 14:45:09 -0700 (PDT)
Received: from linux-9daj.localnet ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 14594892E8; Fri, 16 Aug 2019 21:45:09 +0000 (UTC)
From: Paul Vixie <>
Cc: Anne Bennett <>
Date: Fri, 16 Aug 2019 21:45:08 +0000
Message-ID: <9323236.5EVOHOzQma@linux-9daj>
Organization: none
In-Reply-To: <>
References: <> <16840451.Gnsi7N2eSB@linux-9daj> <>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 16 Aug 2019 21:45:11 -0000

On Friday, 16 August 2019 21:35:25 UTC Anne Bennett wrote:
> Paul Vixie <> writes:
> > i'll want to see how the network operator's policies for
> > dns monitoring and filtering will be reliably detected,
> > and respected.
> I would think this to be an impossible task; if I as a network
> operator am redirecting all port 53 traffic to my resolvers,
> which use various filtering policies to, for example, redirect
> queries for known phishing and malware sites to my local
> "don't be phished" web page, what on earth mechanism could
> possibly exist that could mirror my policies in this context?

this draft in another wg appears to be an attempt at such:

i don't know if it can meet the "reliably detected" threshold though.

> While I believe in the bona fide of the people advocating for
> resolverless DNS, and I don't doubt that there are performance
> bottlenecks that could be alleviated with such a scheme, as a
> sysadmin I feel almost as if these designs were specifically
> created to prevent me from protecting my users.  :-(

i know that feeling. but i think what's happened is the next generation of 
internet technologists have taken an interest in dns, without ever having 
tried to secure it or defend it, or its applications. not knowing what they 
don't know, their proposals seem more reasonable to them than to me.

see also: