Re: [Doh] New: draft-livingood-doh-implementation-risks-issues

"Ralf Weber" <dns@fl1ger.de> Mon, 11 March 2019 08:47 UTC

Return-Path: <dns@fl1ger.de>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3964130FCF for <doh@ietfa.amsl.com>; Mon, 11 Mar 2019 01:47:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eZypc0TYCGHm for <doh@ietfa.amsl.com>; Mon, 11 Mar 2019 01:47:07 -0700 (PDT)
Received: from smtp.guxx.net (smtp.guxx.net [IPv6:2a01:4f8:a0:322c::25:42]) by ietfa.amsl.com (Postfix) with ESMTP id 99953129A85 for <doh@ietf.org>; Mon, 11 Mar 2019 01:47:07 -0700 (PDT)
Received: by nyx.guxx.net (Postfix, from userid 107) id 7CAC65F403F6; Mon, 11 Mar 2019 09:47:06 +0100 (CET)
Received: from [172.19.153.81] (p4FF53782.dip0.t-ipconnect.de [79.245.55.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id AB5725F40330; Mon, 11 Mar 2019 09:47:04 +0100 (CET)
From: "Ralf Weber" <dns@fl1ger.de>
To: "Stephane Bortzmeyer" <bortzmeyer@nic.fr>
Cc: "Livingood, Jason" <Jason_Livingood@comcast.com>, "DoH WG" <doh@ietf.org>
Date: Mon, 11 Mar 2019 09:47:03 +0100
X-Mailer: MailMate (1.12.4r5594)
Message-ID: <5FE94C8C-158D-43AD-86B6-1949A8F740EC@fl1ger.de>
In-Reply-To: <20190310073306.GA10396@laperouse.bortzmeyer.org>
References: <EA2A119D-06CF-4B0B-8994-86A99CD8AC0B@cable.comcast.com> <20190309182857.GA29321@laperouse.bortzmeyer.org> <6ED365D5-8717-46A6-B75E-A628753C2979@fl1ger.de> <20190310073306.GA10396@laperouse.bortzmeyer.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/P1We_k1uUtbRs7TXmkJWWhiel7k>
Subject: Re: [Doh] New: draft-livingood-doh-implementation-risks-issues
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 08:47:10 -0000

Moin!

On 10 Mar 2019, at 8:33, Stephane Bortzmeyer wrote:

> You are not a lawyer and neither I am but I think it is more
> complicated. At least in France but probably in many other countries,
> legal rulings by court are to be enforced only by organisations which
> have been named in the rulings. Most of them don't name Google Public
> DNS or Cloudflare 1.1.1.1 or Yandex DNS. For the censorship which does
> not go through courts, such as the blacklist of the governement in
> France, the list is not public and therefore public DNS resolvers
> cannot follow it, even if they want (at least one not-for-profit
> organisation explicitely asks for this list and was denied). So, no, I
> don't think they are breaking the law (yes, IANAL, but nobody here is).
As you say we are both not lawyers and law is a thing that still is
highly country dependant, so it might be different in different countries.
Most jurisdictions though have something from the old roman law “Ignorantia
legis non excusat” meaning not knowning the law doesn’t protect you from
punishment. So while you may be fine now, because your volume is so low
that lawmakers don’t care, you might not be in the future.

>> But to deploy it you need money and a business case, and I can not
>> find a primary business case to run a DoH server.
>
> The will to provide an alternative? In France, at least two
> not-for-profit organisations operate a public DNS resolver precisely
> for that. There is not only business in life.
Good, but even not for profit need money from someone and I doubt that we
can supply DoH service for large portion of the Internet using non profit
organisations.

>> I think the only way to get lots of DoH providers is to help the
>> ISPs to do it as they are the natural decentralised player on the
>> internet.
>
> Clearly, we disagree here, but it seems more a political disagreement
> than a technical issue with the protocol of this WG.
You didn’t mention an alternative or do you really think a lot of
different non profit organisations will provide resolving for the
Internet?

Also the DoH protocol and subsequent actions of application providers
triggered these discussions. So were should we discuss them if not here.

So long
-Ralf
—--
Ralf Weber