Re: [Resolverless-dns] Paper on Resolver-less DNS

Paul Vixie <> Tue, 20 August 2019 07:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 81537120870 for <>; Tue, 20 Aug 2019 00:16:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fSoDGhTwQ5yj for <>; Tue, 20 Aug 2019 00:16:19 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D2A141200B3 for <>; Tue, 20 Aug 2019 00:16:19 -0700 (PDT)
Received: from linux-9daj.localnet ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id B8563892E8; Tue, 20 Aug 2019 07:16:19 +0000 (UTC)
From: Paul Vixie <>
Date: Tue, 20 Aug 2019 07:16:03 +0000
Message-ID: <4912129.Q1cc77n183@linux-9daj>
Organization: none
In-Reply-To: <>
References: <> <6216510.zdPCGfSLMl@linux-9daj> <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="nextPart9552664.fpMNh64zhh"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Aug 2019 07:16:22 -0000

On Saturday, 17 August 2019 19:35:23 UTC Erik Sy wrote:
> On 8/17/19 07:39, Paul Vixie wrote:
> > On Friday, 16 August 2019 21:52:40 UTC Erik Sy wrote:
> >> Clients using a traditional DNS resolver do not care about a validation
> >> of those DNS records.
> > 
> > i have significant evidence to the contrary.
> Can you please share your evidence?

i've taken some time to think about this question, because it's as if you've asked a fish, 
"what is water?"

every customer, shareholder, competitor, family member, friend, colleague i have is 
concerned about bad DNS bindings being consumed by unsuspecting apps. they don't 
call it by that name, but they think of domain names as "owned by" someone and they 
want the answers their apps consume to be "authentic" and they know that there's a 
great risk to life and wealth if this equation doesn't hold.

you could if you were interested in learning the extent of how DNS is used and how it is 
evolving study the deployment of DNSSEC and DANE, both among OS providers, name 
owners, DNS implementers, and DNS operators. if your mind were open, you could 
consider the possibility that DNS is larger than the web, is used by many non-web apps, 
and that any web-only solution is too small to be worth bothering about, and not just a 
vector by which attackers fool victims.

but your mind seems not to be open. in the days since you wrote the above question i've 
watched you systematically dismiss all arguments that threaten your ideology. i'm making 
this reply to you because i'll be in hamburg shortly for elbsides and i hope that you will 
meet me and discuss this in person. but, my hope for this outcome has dimmed with 
each knee-jerk dismissal that you have offered this thread.

> >> In this thread, we talked about possible privacy drawbacks of
> >> resolver-less DNS. However, did we talk about the privacy risks of using
> >> a traditional DNS resolver? They can monitor the entire browsing
> >> activities of a user and present the real privacy problem.
> > 
> > DoT (RFC 7858) corrects that privacy problem and is being deployed.
> The privacy problem is that a significant share of DNS resolvers monitor
> the users' online activities, aggregate these data in user profiles and
> use these profiles within behavioral advertising or share these user
> profiles with other parties. Here [1], you can find a comparative
> analysis of public DNS resolver privacy policies substantiating my claims.

i prefer the traditional approach where we don't blindly give our data away to google, 
ibm, cisco, cloudflare, and anyone else who can print a Quad-N t-shirt. run your own 
RDNS, and use it. for my reasoning, see this article:

i'll hope to hear contact information for you by the sunday before elbsides.