Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients

Paul Vixie <> Mon, 11 March 2019 06:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 50BB5130F4F; Sun, 10 Mar 2019 23:17:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lHdF2PgySFoU; Sun, 10 Mar 2019 23:17:44 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DF264130F46; Sun, 10 Mar 2019 23:17:44 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:c469:941:d0ef:306d] (unknown [IPv6:2001:559:8000:c9:c469:941:d0ef:306d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id AEF55892C6; Mon, 11 Mar 2019 06:17:44 +0000 (UTC)
To: Christian Huitema <>
Cc: Stephen Farrell <>,,, nalini elkins <>,, Vittorio Bertola <>, "Ackermann, Michael" <>
References: <> <> <> <> <> <> <> <>
From: Paul Vixie <>
Message-ID: <>
Date: Sun, 10 Mar 2019 23:17:43 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.11
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Mar 2019 06:17:47 -0000

Christian Huitema wrote on 2019-03-10 23:05:
> On 3/10/2019 10:24 PM, Paul Vixie wrote:
>> if you are using my network, then it makes no difference which of us
>> bought you that laptop. you will use the RDNS i allow you to use. RDNS
>> is part of the control plane, and i use it for both monitoring and
>> control. sometimes that's so that i can see malware beacon to its C&C.
>> sometimes that's so that i can institute parental controls.
>> if you don't like my rules, you should vote with your feet, and not
>> visit me. because that is the only choice you will have. (yes, i will
>> be part of a major new project to identify and block all DoH services,
>> so that behavioural security policies can still work, because you may
>> have noticed that the internet has never become MORE secure from new
>> tech, but it occasionally becomes LESS secure more slowly because of
>> policy.)
> "Use a VPN, or use the local defaults".

that is not what i said.

> Well, there are plenty of
> in-between.

yes, and i gave examples.

see above.

> You claim the right to impose your rules, because it is "your network".
> Yet you have to define ownership. You are providing network services
> under some contractual terms. There are cases where an imperial network
> can dictate those terms, but there are also many cases in which the
> contractual power of the network is limited  -- thinks like fair access,
> network neutrality, etc. Just claiming an empire does not automatically
> make you the emperor.

my network, my rules. your provider's network, their rules. they are 
more likely to have to follow their government's laws of commerce and 
privacy than i am likely to have to follow mine. but if the rules your 
network operator can make allow you to do what you want, use that 
network. that's invariant, for all networks, and for all instances of you.

P Vixie