Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Vittorio Bertola <> Mon, 20 August 2018 16:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D16E8130E21 for <>; Mon, 20 Aug 2018 09:41:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WXsKW_xB8X18 for <>; Mon, 20 Aug 2018 09:41:55 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 40BE61286E3 for <>; Mon, 20 Aug 2018 09:41:55 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8A4946A334; Mon, 20 Aug 2018 18:41:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=201705; t=1534783313; bh=DLPiUkI/xBJqdMnP0McezrqepUQCkI9gvXJRgW3EM64=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=V75KgHv7lrpijoJ7muW+5qxuRwTtrHf7srOdLBs9ZMVNBuNHlP9eikz07EDsb6cka ZJ4k91Ru6cSiS0BdypywvmCx8qWx3Ik8slwWOJcP8StAegj56I7qcmqwb6S2OV6BFH OB7nEaLA/2m1EcTzbqk0ebT6BZknrrWtXfWWIIUkeV3gIaaIZKUUfRimJFuCGUGvGd hTbnAiyUotcjQ/D0CXOMM7iEzK3SZcKIM2MnMXut6hqFcXBbhaspE6iCyqU6S35CeQ EGfTPxXuEj0y4vvEpXqN26iYbL2aTKQfn6uFARX5wUYgdGfH7GAi1TqFzlOfe8BbRM 2AsY9U/gSL7nw==
Received: from null ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 699963C0045; Mon, 20 Aug 2018 18:41:53 +0200 (CEST)
Date: Mon, 20 Aug 2018 18:41:53 +0200
From: Vittorio Bertola <>
To: Ted Lemon <>, Paul Vixie <>
Cc: Joe Abley <>, dnsop WG <>
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v7.10.0-Rev11
X-Originating-Client: open-xchange-appsuite
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Aug 2018 16:41:58 -0000

> Il 20 agosto 2018 alle 17.55 Ted Lemon <> ha scritto:  
>  I am entirely within my rights to use DoH whether the network operator likes it or not.   It is not illegal for me to do so, and if I did so, it would not be so that I could violate the law—it would be so that I could protect my privacy and avoid DNS spoofing that returns forged answers, which I consider to be a security threat, and which I am fairly certain my network operator does.
> It is certainly true that in some cases, someone using DoH would be violating a network operator policy that is enforceable, or would be violating the law.   But that is by no means the most common case, and it does you no credit to pretend otherwise.

Can you substantiate this statement with data / details? Because I only know cases in which:
a) ISPs filter out content on behalf of the local government due to legal requirements/court orders;
b) ISPs filter out content on request by the user, e.g. for parental control; in the UK, ISPs are actually required by law to provide this service to the user, that can then decide whether to activate it or not and even what to filter out;
c) ISPs filter out threats such as botnets, compromised websites distributing malware, etc - this does not entail any freedom of speech consideration and contributes to everyone's security.

In many European countries network operators are selling b)+c) (see for example ) and people are actively buying the service, so they explicitly want this kind of filtering (and will not be able to continue getting it if their browser redirects their DNS queries somewhere else); and if you do not want it, you just don't buy it. As for a), possibly users do not want it, but it is still mandated by law.
So I cannot immediately recall cases in which a network operator in Europe is filtering out things that a user wants and can lawfully access. But you mention that your network operator is spoofing the DNS and stifling your freedom of expression, so I guess it is censoring legitimate websites - this is bad, of course, but can you tell me which operator, and which websites? It would help my understanding of your use case.

Finally, note that *in your country* it may be your right to use DoH to tamper with what your network operator is doing, but this may not be true in other countries. In fact, deploying any technology that circumvents security measures that network operators are required to implement by law might be illegal in itself.

In the end, the DNS is a very complex policy subject (see the mess that ICANN is) with lots of stakeholders and conflicting views, and IMHO such a deep change in its architecture and "ecosystem" would require much more caution and a much broader discussion going well beyond the IETF.


Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
Office @ Via Treviso 12, 10144 Torino, Italy