Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Paul Vixie <> Mon, 20 August 2018 16:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4D52E130E21 for <>; Mon, 20 Aug 2018 09:57:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N2iwfxSpWg65 for <>; Mon, 20 Aug 2018 09:57:57 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5C870130E3C for <>; Mon, 20 Aug 2018 09:57:57 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:1c6f:2fd8:8c7b:9a62] (unknown [IPv6:2001:559:8000:c9:1c6f:2fd8:8c7b:9a62]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 46797892C6; Mon, 20 Aug 2018 16:57:57 +0000 (UTC)
Message-ID: <>
Date: Mon, 20 Aug 2018 09:57:51 -0700
From: Paul Vixie <>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Ted Lemon <>
CC: Joe Abley <>, dnsop WG <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Aug 2018 16:58:00 -0000

>> Il 20 agosto 2018 alle 17.55 Ted Lemon<>  ha
>> scritto:
>> I am entirely within my rights to use DoH whether the network
>> operator likes it or not.

so, their network, but not their rules? when spammers used to tell me 
that sending spam wasn't illegal and i had to accept it, i blackholed 
them and said, my network, my rules. who has what rights, and why?

>> It is certainly true that in some cases, someone using DoH would be
>> violating a network operator policy that is enforceable, or would
>> be violating the law.   But that is by no means the most common
>> case, and it does you no credit to pretend otherwise.

some references i've seen go by in this thread indicate that the DoH 
team wants its protocol to be unblockable, and hopes that RDNS DOH 
providers will co-locate their DOH endpoints with other valuable 
content, "so that network operators will think twice about blocking it."

if there are use cases beyond violating the law and violating network 
operator security policy, then they are obviously secondary, but do 
tell-- what do you think those might be?

i also block tor endpoints. because, my network, my rules. if it's going 
to be my network but mozilla's or cloudflare's rules, then this 
conversation is going to travel very differently, because i'll still be 
paying for it, but it won't be _my_ network any more. would that sit 
well with you? it wouldn't with me.

P Vixie