Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertola-bcp-doh-clients

Paul Vixie <> Wed, 03 April 2019 19:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 467CA12013F for <>; Wed, 3 Apr 2019 12:26:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5hMO3rHLFT3t for <>; Wed, 3 Apr 2019 12:26:14 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 91B021200B6 for <>; Wed, 3 Apr 2019 12:26:14 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 13810892C6; Wed, 3 Apr 2019 19:26:12 +0000 (UTC)
To: Christian Huitema <>
Cc: Vittorio Bertola <>,
References: <> <> <> <4935758.NkxX2Kjbm0@linux-9daj> <> <> <>
From: Paul Vixie <>
Message-ID: <>
Date: Wed, 3 Apr 2019 12:26:10 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.13
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertola-bcp-doh-clients
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Apr 2019 19:26:16 -0000

i had to think about this for quite a long time. i've trimmed the cc

Christian Huitema wrote on 2019-03-12 20:39:
> On 3/12/2019 7:56 PM, Vittorio Bertola wrote:
>> ...
> The mirror image of that statement is, "when did intermediaries get
> a mandate to filter content?"

it was rarely a mandate, though various governments have made it one for
various intermediaries. let me answer a different question, when did
intermediaries gain the right or responsibility or both for filtering
content? because that answer is simple: when they started building and
operating it, investing in it, and either profiting or losing from it.

their networks, their rules. which is only potentially unfair when they
are also monopolies, in which case their end systems and edge networks
have no alternatives. the law may want to recognize when a monopoly
exists and set some minimums and maximums on intermediary operator
rights and responsibilities. but that's not an architecture question.

> ... The internet architecture assumes full connectivity. At some 
> point, people deployed middle-boxes and filtered content because
> they could.

as seems natural, since the internet architecture is neither viral nor
communist, and anyone who connects a network to that network-of-networks
called "the internet" has always treated all policy as local, since all
responsibility for its emissions and uptime was theirs and only theirs.

> They did not exactly try to get a mandate, or obtain consensus that
> this was proper.

no consensus was needed. if someone broke your rules, you stopped them
or disconnected them. that was true for the NSFnet AUP, and it's true of
every network's AUP today, and every corporate or family network's policy.

> Technologies like DoH force the discussion in the open. Why do you
> think you can filter content? Who made you king?

i think that's hyperbole. i am at best a prince, and only of the 
territory i personally pay to build and connect, and only in the eyes of 
people who use my network. anyone who dislikes my rules can search for 
some other internet-connected network whose rules they like better. this 
is not a dictatorship, but certainly is a coalition of the willing.

P Vixie