Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertola-bcp-doh-clients

Paul Vixie <> Tue, 12 March 2019 18:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 742F7130E66; Tue, 12 Mar 2019 11:17:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mazzjEqzYSgs; Tue, 12 Mar 2019 11:17:42 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E35341277DE; Tue, 12 Mar 2019 11:17:42 -0700 (PDT)
Received: from linux-9daj.localnet ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id B4052892C6; Tue, 12 Mar 2019 18:17:42 +0000 (UTC)
From: Paul Vixie <>
To: Eliot Lear <>
Cc: nalini elkins <>, "Konda, Tirumaleswar Reddy" <>, "" <>, "" <>, "Ackermann, Michael" <>, Christian Huitema <>, "" <>, Vittorio Bertola <>, Stephen Farrell <>
Date: Tue, 12 Mar 2019 18:17:41 +0000
Message-ID: <1821023.QPalJCvhiW@linux-9daj>
Organization: Vixie Freehold
In-Reply-To: <>
References: <> <> <>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertola-bcp-doh-clients
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Mar 2019 18:17:44 -0000

On Monday, 11 March 2019 18:18:38 UTC Eliot Lear wrote:
> > i wonder if everyone here knows that TLS 1.3 and encrypted headers is
> > going to push a SOCKS agenda onto enterprises that had not previously
> > needed one, and that simply blocking every external endpoint known or
> > tested to support DoH will be the cheaper alternative, even if that makes
> > millions of other endpoints at google, cloudflare, cisco, and ibm
> > unreachable as a side effect?
> That or it will require a bit more management at the MDM level.  I’m hoping
> the latter.  And I hope that one output of all of these documents will be a
> recommendation regarding MDM interfaces.

MDM is a cooperation protocol. that is, both the operator and the app or user 
have to want data management to be be mastered (DM to be M, so, MDM).

this is off-topic for DoH, which seeks to prevent on-path interference with 
DNS operations. that is, someone or something using DoH cannot be expected to 
seek cooperation with the network operator.

teenagers and malware being two easy examples. BYOD being another.

pre-DoH, it was possible to ensure that noncompliance with MDM would yield 
failures. that is, disallowing outbound 53 and 853 except from the operator's 
own name servers. post-DoH, such enforcement is (deliberately) impossible.

can we therefore please stop talking about MDM here.