Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertola-bcp-doh-clients

Paul Vixie <> Wed, 13 March 2019 06:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CFAB31277DB; Tue, 12 Mar 2019 23:28:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qYL7TigljdHU; Tue, 12 Mar 2019 23:28:24 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C38E512008F; Tue, 12 Mar 2019 23:28:24 -0700 (PDT)
Received: from linux-9daj.localnet ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id B9506892C6; Wed, 13 Mar 2019 06:28:23 +0000 (UTC)
From: Paul Vixie <>
Cc: Brian Dickson <>, "" <>, Christian Huitema <>, "" <>, Stephen Farrell <>
Date: Wed, 13 Mar 2019 06:28:23 +0000
Message-ID: <2008045.2dFDXBJIrK@linux-9daj>
Organization: Vixie Freehold
In-Reply-To: <>
References: <> <7128698.bmqQpDD1M4@linux-9daj> <>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <>
Subject: Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertola-bcp-doh-clients
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Mar 2019 06:28:26 -0000

On Tuesday, 12 March 2019 23:12:37 UTC Brian Dickson wrote:
> I think there is a way to use technical design(s) to split hairs, i.e. I
> think the side meeting
> has the possibility of bearing fruit which is palatable enough for all
> parties.

i hope so. i will only be in prague from saturday evening 'til monday morning.

> The crux of the problem is how to determine if the network operator is
> truly hostile (GFC),
> or merely restrictive (Paul's network, Paul's rules.)

no, that's not the crux. it's only one problem, the one being had by a user or 
application wondering which dns server and what protocol to use.

there's another problem, considered the crux by some, but still only one 
problem, and that's how to prevent truly hostile users or apps from bypassing 
the security policy implemented in the local RDNS control plane.

neither one gets to call itself the crux, i think.