Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Brian Dickson <> Wed, 20 March 2019 03:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4CC251277E0; Tue, 19 Mar 2019 20:17:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KCv70RQH8EhM; Tue, 19 Mar 2019 20:17:38 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7ED03126C15; Tue, 19 Mar 2019 20:17:38 -0700 (PDT)
Received: by with SMTP id k14so971975qtb.0; Tue, 19 Mar 2019 20:17:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tOKjhdaNzuisyE8mpv9CeuJ6GZEs9tarv+sxE5ceaWc=; b=XNF4hDJHB797qahxIGwdEweaekVIbCxklb9BCQB18SFuZtqxKh7Pe5YVVE/25MarDn ZQ01Zt1nDN46GvyDhDJK76lJtYW/N/4lxxdOLCRnUjs+dS4ZO9AZO18wL9i1lgYfluOL z0coCpIJhPVf90cJ0/PWqoO32/9QHxRjieZIdX5ErLnG9mkD3MkAViAT5AhSgGQ8+zNL D66cfMHUnxhfGAQH/IAeFT0jWrPH3gkxD3rLVl96aBsPgop8Qt/LEmWKgBsRenpWF6Uw D+0nbne9nnCMcfA1iZrbQXvwqG4yFACqVaaJKE9ZvKrLZZMj1QpTwBuUZRbJH1Te4KEn 0YeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tOKjhdaNzuisyE8mpv9CeuJ6GZEs9tarv+sxE5ceaWc=; b=bjhEoENXLPpi/uezD2y6um631gciwT1prqA3c8iLJtfUcfGYSdRIKbd/Q3HWuSbPmd 1Ht80B7juq/SFay+DggGExjZJGagUamoXIBXkzFBJa5YnrpxSnSlYvx4oyBoP9j7AclM uLgAlEyGBnaGXga3ncLu08WRMnH2Ix83MUnbKQvv4Xb2Y7v8ygkUiPlWzlaiQVxzSjZq cHlgUo0kSkcQNimzsdGLY14w8UEWp/rth+bDxYHQes8rNmox8Cg2abkZr0xE6YKDk1oW dt+y1G0G1beNi11wFVrzDqOZfZYhEkWMoA8DSan1UPAGLUIehZpfNbVHmpveVDsIXLT3 9a6g==
X-Gm-Message-State: APjAAAU0NeXNC9mMPuOy3/7/u8bkg6DyzMyxp1LpjZzq2u9PWgHbhM5V 7QOfgCOlcaW87L7mM0/bIQA68MmKNSh67pmf1p8=
X-Google-Smtp-Source: APXvYqzDP7GWIj6pKx+aNOdBwBW6X85snZKXZlLP4rWlJPVhUGLenBJk2MvzP9DoWNsRggE6r5VtxtUSp0LGX3fFUkw=
X-Received: by 2002:ac8:2b83:: with SMTP id m3mr4994681qtm.305.1553051857579; Tue, 19 Mar 2019 20:17:37 -0700 (PDT)
MIME-Version: 1.0
References: <> <3457266.o2ixm6i3xM@linux-9daj> <> <1914607.BasjITR8KA@linux-9daj> <> <> <> <>
In-Reply-To: <>
From: Brian Dickson <>
Date: Tue, 19 Mar 2019 20:17:25 -0700
Message-ID: <>
To: Stephen Farrell <>
Cc: Jared Mauch <>, Michael Sinatra <>, Ted Hardie <>, DoH WG <>, paul vixie <>, dnsop <>
Content-Type: multipart/alternative; boundary="00000000000049f3a805847e105c"
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Mar 2019 03:17:41 -0000

On Tue, Mar 19, 2019 at 6:42 PM Stephen Farrell <>

> Hiya,
> One individualistic data point on this sub-topic, and a real point:
> On 20/03/2019 01:13, Jared Mauch wrote:
> > My impression is there are people who will not be satisfied until all
> traffic looks
> > identical and you have zero way to protect your home,
> I do not claim that everyone ought do the same, but I absolutely
> do claim that encouraging voluntary policy adherence by dealing
> with the people using the n/w is preferable to many egregiously
> invasive attempts to force technical policy enforcement on
> unwilling serf-like users.

So, this is the problem:
- If a network operator has any policy that is enforceable, ONLY the
technical policy enforcement model scales.
- In such an environment, there are only, ever, "willing users", because,
in order to use the network, they are required to agree to the policies.

This makes the argument you have above, a vacuously defined one.
You want to encourage voluntary policy adherence for a non-existent set of
otherwise unwilling users.

I understand your position: you would prefer that {some,all} networks were
not employing policies that {you,some people} disagree with.
I sympathize, but I disagree. What we need are mechanisms that scale.
My position (personally) is that we find ways to have scalable, technical
They should allow users (or machine administrators) to be as compliant as
they are willing, and no more.
They should allow networks to enforce their policies, while treading as
lightly as possible.
It should be possible to use technical means to handle this negotiation
with little to no user input required.
The analogy is roughly that of escalation-of-force in law enforcement,
starting at a level of "polite requests".

You can disagree, but I implore you: please don't stand in the way of those
wanting to find consensus on scalable, flexible, technical solutions that
encompass a wide range of network policies and enforcement needs.

The main point is, I believe the end result will be mechanisms that allow
you to deploy networks that meet your needs, and software that you can
configure to bypass such controls, but that neither of those should ever be
the default configurations.

If the results allow you to do what you want/need, and also allow others to
do what they want/need, everyone should be happy enough with the result.

Can we at least agree on this as a desired goal for this work?