[dns-operations] Can Root DNS server modify the response?

David Conrad drc at virtualized.org
Fri Mar 29 15:32:06 UTC 2019


On Mar 29, 2019, at 12:18 AM, Vittorio Bertola <vittorio.bertola at open-xchange.com> wrote:
>> This is the kind of pointless rhetoric that makes discussions so useful. Thanks.
> I agree that the thread may have drifted off topic, but you were justifying distrusting an entire constituency because of the actions of a few members, and letting another group of companies unilaterally decide retribution and use that distrust to replace them all, and I find this unhelpful and divisive (though you are certainly not the only one using this argument).

I am not justifying anything. I am merely pointing out a reality that some network operators, state-based actors, and infrastructure providers took actions that caused a set of counter-actions. Just as the green card lawyers caused the creation of anti-spam tools that blocked entire ISPs because of the actions of a few of the ISPs customers. Or RPZ tools that allow for the blocking of entire TLDs because of the actions of a few registrars.

Do you find those tools unhelpful and divisive as well?

DOH exists partly because there was a risk of a vulnerability in the underlying infrastructure and an in-application mechanism was relatively easy to deploy that addressed that risk.

Do you deny that risk exists?

An implication of the solution to that risk is to cause all infrastructure providers to be assumed by users of a particular application to be distrusted by default.  The alternative is to trust some but not others. What is your solution to distinguish between trusted and non-trusted infrastructure providers? How will the proverbial grandmother deploy your solution?

And yes, I’m aware that DOH as implemented by the browser vendors is moving the determination of trust for users of those browsers to the browser vendors' selections of TRRs. I find this unfortunate, but not surprising given the constraints the browser vendors face in terms of user base, deployment model, etc.

> So I thought that an analogy would make it immediately clear how dangerous such a precedent would be and how it could play in the future. No offense intended :-)

The analogy was so flawed that I didn’t think you were actually suggesting it seriously.

Since I appear to be mistaken: if the registrars, registries, or ICANN can be replaced by some new technology implemented by browser vendors, disrupting the existing system and creating different gatekeepers to identification on the Internet, then it is up to Internet users, not me, you, the DNS cabal, the IETF, etc., to decide the “winners”.  Pretending that there aren’t aspects of the current system that caused the creation of new gatekeepers/alternate technology is a waste of time.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190329/b19c223c/attachment.sig>

More information about the dns-operations mailing list