Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Ted Lemon <> Mon, 20 August 2018 15:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6C1CF130E60 for <>; Mon, 20 Aug 2018 08:55:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Dmr20-VO-GWn for <>; Mon, 20 Aug 2018 08:55:44 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DBA74130E46 for <>; Mon, 20 Aug 2018 08:55:43 -0700 (PDT)
Received: by with SMTP id l8-v6so2420746ioj.11 for <>; Mon, 20 Aug 2018 08:55:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Ug+KRQwO+RSvRSlTHnhpqbYLO2Gc6KrOJ9Fdl+EfNwc=; b=crHzfXIH6yVNnt7H+JK5C2BHP2vJSYxLJ4e4Q104tz3F4yj96L/ZtgkW7psrBRwJkA X5zLxmoMdEiE7WKB9OaaOgmBf+9A5JD4JCjfzqlaIvZ2DA19bSS335YSchJKyRSCpjqs nvtYGPq3Fsqjm8sa8jahLnVwHXMKJHi86izryqpzWyZPWGrqDxcVzQBUdscnm6BU4snf Lmoa6LfKp39jwr+UWpRNI/64D2UrYI1zdir2mRGsaRPJr8S+DjnjH4juBValgW0m+qyD c4bg7FyWQBSK7JrMk+pMuFpoS0v1BshooO7IYt3EN09BhT4N/bvKevVPLKcCuCsIVgKV gTKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Ug+KRQwO+RSvRSlTHnhpqbYLO2Gc6KrOJ9Fdl+EfNwc=; b=QiWMx6a24YxCJQG5RnvnS9dtQb1lAUcSxC6eyZYOjTqmj+a48ONU92BXkDOaKabnKu mc/ZWsMzEcU3jsbhWoopxcAhjYSeuUgOWSbatXpmczlUYcPAQPAfzpT28H42W6iuP/uS rjjJv6B87yD45LbP+yF9JpnZLINgFWID4JTxg16bRtXzCQNfeW2gcQyeHF2ASq/8Gyof a0cVH1vpiGsG7qmea96xcHT+CaZfWOvLC5B7WcFBFxJZgnPxmCd5wZf+RR00dXUNBOCb XuvIT6wep1q96yUcMHK63EK0ODsJkIECqgQxj+TDEZdwdKFJu/1q1sl/qwlVT+dNyxhk ionA==
X-Gm-Message-State: AOUpUlGQQaugebUx3GJhtYs2MXTHIgs6mcEArtWcVChc2lhsaZMO3KMG 6BYKXwkJmfQMZtNxUN/84qFcAzzc/4H78RUBFbrgm3Bz
X-Google-Smtp-Source: AA+uWPxfc5aKFL/9Nia0OD8apkGg1VLklG7PTh/844BFOMx11Wr9svxZrdFQxaFrpUVgyyTQrWTwhViVcUqv4758FQU=
X-Received: by 2002:a6b:9d0b:: with SMTP id g11-v6mr40759713ioe.85.1534780543087; Mon, 20 Aug 2018 08:55:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:a009:0:0:0:0:0 with HTTP; Mon, 20 Aug 2018 08:55:02 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
From: Ted Lemon <>
Date: Mon, 20 Aug 2018 11:55:02 -0400
Message-ID: <>
To: Paul Vixie <>
Cc: Joe Abley <>, Vittorio Bertola <>, dnsop WG <>
Content-Type: multipart/alternative; boundary="000000000000144c320573dff14b"
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Aug 2018 15:55:46 -0000

Paul, it's really not helpful to do this kind of reductio ad absurdum.

You are assuming that all networks operators have a security policy which
they have a right to enforce on the end user.   In some cases this is
true.   In most cases it is false.   E.g., the network to which I am
currently connected has no such right of enforcement.   It would be
*catastrophic* if it did, because I'm the paying customer, and supposedly
this is a country in which freedom of speech is guaranteed.   I am entirely
within my rights to use DoH whether the network operator likes it or not.
 It is not illegal for me to do so, and if I did so, it would not be so
that I could violate the law—it would be so that I could protect my privacy
and avoid DNS spoofing that returns forged answers, which I consider to be
a security threat, and which I am fairly certain my network operator does.

It is certainly true that in some cases, someone using DoH would be
violating a network operator policy that is enforceable, or would be
violating the law.   But that is by no means the most common case, and it
does you no credit to pretend otherwise.

On Mon, Aug 20, 2018 at 11:49 AM, Paul Vixie <> wrote:

> Joe Abley wrote:
> ....
>> These are the same use-case, just viewed with different bias.
> so, DoH's use cases all involve either violating the law, or violating the
> network operator's security policy? egads, i hope not. the ietf can't be
> seen backing something that has _no_ legitimate purpose.
> --
> P Vixie
> _______________________________________________
> DNSOP mailing list