Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Paul Vixie <> Mon, 20 August 2018 17:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1A31E130E7B for <>; Mon, 20 Aug 2018 10:53:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tGm2zCFG62x9 for <>; Mon, 20 Aug 2018 10:53:32 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BB355130E6A for <>; Mon, 20 Aug 2018 10:53:32 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:1c6f:2fd8:8c7b:9a62] (unknown [IPv6:2001:559:8000:c9:1c6f:2fd8:8c7b:9a62]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id D9199892C6; Mon, 20 Aug 2018 17:53:31 +0000 (UTC)
Message-ID: <>
Date: Mon, 20 Aug 2018 10:53:30 -0700
From: Paul Vixie <>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Ted Lemon <>
CC: Joe Abley <>, dnsop WG <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Aug 2018 17:53:35 -0000

Ted Lemon wrote:
> On Mon, Aug 20, 2018 at 12:57 PM, Paul Vixie <
> <>> wrote:
>     so, their network, but not their rules? when spammers used to tell
>     me that sending spam wasn't illegal and i had to accept it, i
>     blackholed them and said, my network, my rules. who has what rights,
>     and why?
> Paul, take a deep breath.   I'm paying for my network service.

if the plural of anecdote was data, i'd counter by saying, my family and 
my employees and my visitors do not pay for my network service. but that 
way lies madness. your network, your rules. if you're paying for it then 
you should make the rules. i pay for mine; i make my own rules.

>> some references i've seen go by in this thread indicate that the DoH
>> team wants its protocol to be unblockable, ...
> I think the DoH team is not quite as cohesive as you think it is,
> but yes, that is one implication of the use of DoH. If you find it
> problematic, then you need to get your end users to proxy all their
> HTTPS traffic through your HTTPS proxy. This will be really obvious
> to them, so you won't be able to do it without their agreement.

indeed, DoT was designed to solve this problem -- it can't be 
intercepted or blocked without the user become aware of it. but it's 
designed to be blockable by network operators who don't want it to be 
used. that's better engineering, because it rams nothing down any throat.

> This is by design. This situation has existed since HTTPS has
> existed—it's not something that DoH invented. You've always been able
> to use HTTPS to bypass firewalls; this has good uses and bad. Tough
> luck—see Figure One. :)

see also my own prior work in this area:

the difference there was, it's ad hoc, intended to solve point problems 
for individuals, and it would be very easy to block if it caused new or 
worse problems for the coffee shop or hotel room owner.

DOH is designed to be hard to block and to become ubiquitous. that's a 
problem that no amount of gaslighting will reduce the relevance of.

>> if there are use cases beyond violating the law and violating network
>> operator security policy, then they are obviously secondary, but do
>> tell-- what do you think those might be?
> Preventing user behavior tracking seems like a pretty valid use case.

it would be, if it was cheap to block. that is, on my network, under my 
rules, user behaviour tracking may be my policy. a user who wants to 
avoid that tracking should ask for non-tracking. if they won't ask, or 
if i say no, then the default should be non-functionality.

the DOH people are trying to ram something down the throats of network 
operators worldwide, and i'm gagging on it. a deep breath won't help.

>> i also block tor endpoints. because, my network, my rules. if it's
>> going to be my network but mozilla's or cloudflare's rules, then this
>> conversation is going to travel very differently, because i'll still
>> be paying for it, but it won't be _my_ network any more. would that
>> sit well with you? it wouldn't with me.
> If you think that Mozilla isn't trustworthy, don't use Firefox. It's
> all about trust. It's naive to think that you aren't going to have
> to trust someone; thinking about trust models is no longer optional
> for network operators.

this has nothing to do with trusting mozilla, although in this case, 
they are giving me reasons to treat them as a hostile opponent.

this has nothing to do with what i use. for me it's about employees, 
family members, and visitors. for turkey and china and others, it's 
about national law. the ietf has not been knowingly and deliberately 
hostile to local network policy before now. this is a sea change. it 
will not end here, and it will escalate.

P Vixie