Re: [DNSOP] extension of DoH to authoritative servers

"Patrik Fältström " <paf@frobbit.se> Tue, 12 February 2019 20:55 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37DF4130DBE for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 12:55:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.722
X-Spam-Level:
X-Spam-Status: No, score=-1.722 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=frobbit.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NvqKTOTdOduh for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 12:55:55 -0800 (PST)
Received: from mail.frobbit.se (mail.frobbit.se [85.30.129.185]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DBE112F1A6 for <dnsop@ietf.org>; Tue, 12 Feb 2019 12:55:55 -0800 (PST)
Received: from [172.10.11.240] (210.22.92.62.static.cust.telenor.com [62.92.22.210]) by mail.frobbit.se (Postfix) with ESMTPSA id B00282488C; Tue, 12 Feb 2019 21:55:51 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=frobbit.se; s=mail; t=1550004951; bh=GlfQBqxAqwx9WVuLY1Ze/AGAmV+FLzX2P72Kt166vJA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IHdbbbhGFhAiElT9Eg9WoWUZ6jeWdq825McO2FhSf1Gu4jZ7afyWLQOkrD+LGCDAD dgr6d5LWNXHXHd1R6u9fhxxoWC8nLNttPh2p9KBVsmsZjAxquB+hpi/iH2NKJeVrP4 SQXt9BpvE5HzKaBWITyLZb7v6eApLFwpoJ2DbxCM=
From: "Patrik =?utf-8?b?RsOkbHRzdHLDtm0=?=" <paf@frobbit.se>
To: "Paul Vixie" <paul@redbarn.org>
Cc: "Ted Lemon" <mellon@fugue.com>, dnsop <dnsop@ietf.org>, "David Conrad" <drc@virtualized.org>
Date: Tue, 12 Feb 2019 21:55:50 +0100
X-Mailer: MailMate (1.12.4r5597)
Message-ID: <87420B68-233B-4330-AF5B-6124B40DC5BF@frobbit.se>
In-Reply-To: <d1f66089-1e78-15f6-269c-33ced12c2738@redbarn.org>
References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <ecfdb33d-7925-f762-6788-68b7a659a3d8@redbarn.org> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <D01BFEEE-746D-4F30-A3CE-497D4AFA8CC5@fugue.com> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <d1f66089-1e78-15f6-269c-33ced12c2738@redbarn.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_41A141DD-841A-45D3-AE20-59522178234C_="; micalg=pgp-sha1; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hoyA4w36mvm9XHZtZLffHcTJ-_c>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 20:55:57 -0000

On 12 Feb 2019, at 21:48, Paul Vixie wrote:

> whether the situation turns out to be temporary or not is important to your final argument. probably you shouldn't go there so soon. spammers also believe that network operators should not be able to control their own networks, and malware authors, and botnet creators, and IoT innovators, and surveillance capitalists. none of those matters seem like they are, or will ever be, settled. so, none are "temporary".

The current legal system and court decisions require access providers to have some control. Today it is "enough" for the access providers to block DNS lookup of certain domain names. We on THIS list understand how easy it is to go around that kind of blocking, but that does not matter. It is enough for the legal systems in the world.

If the control over the DNS lookups is no longer possible by the access provider, then the access providers by law have to use other tools to control the traffic from their customers.

So, it is not only their choice.

   Patrik