Re: [DNSOP] extension of DoH to authoritative servers

Paul Vixie <paul@redbarn.org> Tue, 12 February 2019 20:48 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11B5212F1A6 for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 12:48:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BaCssT8wxl4q for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 12:48:14 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75B6412F1A5 for <dnsop@ietf.org>; Tue, 12 Feb 2019 12:48:14 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384] (unknown [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 05A43892C6; Tue, 12 Feb 2019 20:48:14 +0000 (UTC)
To: Ted Lemon <mellon@fugue.com>
Cc: David Conrad <drc@virtualized.org>, dnsop <dnsop@ietf.org>
References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <ecfdb33d-7925-f762-6788-68b7a659a3d8@redbarn.org> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <D01BFEEE-746D-4F30-A3CE-497D4AFA8CC5@fugue.com> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <d1f66089-1e78-15f6-269c-33ced12c2738@redbarn.org>
Date: Tue, 12 Feb 2019 12:48:14 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10
MIME-Version: 1.0
In-Reply-To: <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/e8gg6waXr11rfUdv8RRaIpw1RV4>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 20:48:16 -0000


Ted Lemon wrote on 2019-02-12 12:07:
> On Feb 12, 2019, at 11:04 AM, Paul Vixie <paul@redbarn.org 
> <mailto:paul@redbarn.org>> wrote:
>> actually, there are other choices.
> 
> I may have failed to communicate.   What I mean is that you said that 
> you can detect all nefarious traffic, but you can’t detect DoH, which to 
> you is nefarious.   What I’m saying is that there’s no such distinction, 
> or at least if there is at present, it is a temporary situation.

i realize that the political tacticians who designed DoH are searching 
for a world in which network operators have no control plane choices. i 
think they're proceeding from the mistaken belief that all control is 
evil, and that all network operators are equally deserving of 
disintermediation. and other mistaken beliefs as well, which i won't 
enumerate.

> 
> Of course you have choices about what to do about this; my point is not 
> to suggest that you do not.
> 

whether the situation turns out to be temporary or not is important to 
your final argument. probably you shouldn't go there so soon. spammers 
also believe that network operators should not be able to control their 
own networks, and malware authors, and botnet creators, and IoT 
innovators, and surveillance capitalists. none of those matters seem 
like they are, or will ever be, settled. so, none are "temporary".

my network, my rules. anyone who acts otherwise will be treated by me as 
an adversary, even folks like mozilla who have been fellow travelers for 
decades now, if they continue to pursue unblockable endpoint technology.

-- 
P Vixie