Re: [Resolverless-dns] Paper on Resolver-less DNS

Paul Vixie <> Wed, 21 August 2019 20:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B62DA120805 for <>; Wed, 21 Aug 2019 13:03:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BZsJQ0XSYaY6 for <>; Wed, 21 Aug 2019 13:03:44 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 109391209F0 for <>; Wed, 21 Aug 2019 13:03:41 -0700 (PDT)
Received: from linux-9daj.localnet ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id C5E2A892E8; Wed, 21 Aug 2019 20:03:40 +0000 (UTC)
From: Paul Vixie <>
Date: Wed, 21 Aug 2019 20:03:21 +0000
Message-ID: <9495312.8Az2s6tnoE@linux-9daj>
Organization: none
In-Reply-To: <>
References: <20190819203948.2BE688829F4@ary.qy> <> <>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Aug 2019 20:03:48 -0000

On Wednesday, 21 August 2019 19:53:55 UTC Erik Sy wrote:
> ... Anyway, I think its time to improve the
> data protection of DNS before the engineering department gets involved
> in those advertising programs.

because we have to secure the whole internet system, and not just the subset 
of that system called the web, dns itself has been the subject of massive 
change over the last two decades to improve its data protection.

the idea of having a web object tell my web browser which malware server to go 
to in order to download a bitcoin miner, without being subject to either 
control or monitoring by my private network operator (parental controls, or 
corporate security), should terrify pretty much everybody.

we need the internet system to be secure, including its naming system, and not 
on an app-by-app (such as the web, which to the internet is just an app) 
basis. embedding dns content in web object secures against only one attack, 
and only within the confines of one app. the rest of the problem will remain, 
except, the web as an app wouldn't benefit from the rest of those solutions.