Re: [Doh] [EXTERNAL] Re: [DNSOP] New I-D: draft-reid-doh-operator

"Winfield, Alister" <> Fri, 22 March 2019 08:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1D615130EB2; Fri, 22 Mar 2019 01:48:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AsLyew_VII3y; Fri, 22 Mar 2019 01:48:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DAF52130EA7; Fri, 22 Mar 2019 01:48:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VE/J6AxBwxnEk2JWddAF3YsQv5EbiOeBQzj7Q7H+XNE=; b=oN5ExT1t1WOFjzhrNzHnrOfO+d4cyqs8kKyIXey0dJFC5yiX6a4IbO6IWTaraJxJhwSugkGX4t0sFs35xYmmttWAM2tOMwAobTpzBPs7/FuDsn6OcmIZTOcFsp4zDbVIqsBL05ZwJVY/dCH19OxbDXUEhsl/pPzWx8wMh4Gky6k=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.15; Fri, 22 Mar 2019 08:48:20 +0000
Received: from ([fe80::5cb7:e589:692e:7d93]) by ([fe80::5cb7:e589:692e:7d93%9]) with mapi id 15.20.1709.015; Fri, 22 Mar 2019 08:48:20 +0000
From: "Winfield, Alister" <>
To: Eric Rescorla <>, Vittorio Bertola <>
CC: dnsop <>, DoH WG <>, Christian Huitema <>, Wes Hardaker <>
Thread-Topic: [EXTERNAL] Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
Thread-Index: AQHU4IRg+Zji0SyE5Eu6wgblhrZKkaYXUuAAgAAA+U8=
Date: Fri, 22 Mar 2019 08:48:20 +0000
Message-ID: <>
References: <> <3457266.o2ixm6i3xM@linux-9daj> <> <1914607.BasjITR8KA@linux-9daj> <> <> <> <> <> <> <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5bbfe9fb-dadc-4eb0-461c-08d6aea322f6
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:DB6PR0601MB2597;
x-ms-traffictypediagnostic: DB6PR0601MB2597:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <>
x-forefront-prvs: 09840A4839
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(39860400002)(136003)(376002)(346002)(199004)(189003)(106356001)(6436002)(74316002)(110136005)(7736002)(54906003)(105586002)(81166006)(81156014)(486006)(93886005)(8676002)(25786009)(71200400001)(6246003)(8936002)(316002)(5660300002)(52536014)(14444005)(5024004)(256004)(66066001)(606006)(236005)(71190400001)(54896002)(6306002)(9686003)(53936002)(55016002)(229853002)(4326008)(68736007)(97736004)(99286004)(33656002)(76176011)(7696005)(102836004)(74482002)(6506007)(53546011)(446003)(966005)(72206003)(476003)(478600001)(14454004)(26005)(3846002)(6116002)(11346002)(186003)(86362001)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0601MB2597;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: WQZfvOu0GV+3b1w/5H2NhaesZpRaoxHcJwPApDtBaho6q8TDbPGhS3QwuZOlLbdVfq/7pDm1cl6VAz0kkSxEjDogVDX3u5EKBkX/SqDo8wvpU4JIk5Q1UJYOp0UB7Ab1g/eiCIpE4qvQnw5FF1/o27NhYZ4YCufe+auHHc3YSpfezkoEsIVNwvnlkkAZ5EO4rceul2GGCQGirCMEqLDLUlNAyxMfzc0gd4uF1nh/NgPcPKzxoL/KEpq7pCafUsfPhNQyoyhmCd8nQpl2kxg+MsG4ANIztJfuRM1bsv7dm6X3bQxs3itBGBHD1L1Whzw74v/82wbA8UztJtdFqinf4yXNv20EtxjTsjyDaNTlAZIhEbMgp4B8t0SASfa3mYZkYMfwHB1Z2lQR+E1s8wWoOSc3kqsZMUQVNaFfIwMao1Q=
Content-Type: multipart/alternative; boundary="_000_DB6PR0601MB2184191A75F8E5BF0E8DD346E3430DB6PR0601MB2184_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 5bbfe9fb-dadc-4eb0-461c-08d6aea322f6
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2019 08:48:20.8330 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68b865d5-cf18-4b2b-82a4-a4eddb9c5237
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0601MB2597
Archived-At: <>
Subject: Re: [Doh] [EXTERNAL] Re: [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Mar 2019 08:48:31 -0000

I have to say it but almost certainly Ill stop using any software that choses at any point to silently choose what I mean by the word privacy. (using a large scale American provider fior doh example). This is simple you allow choice but that choice MUST be both visible and explicit on what the choice means in terms of how it affects privacy. No lies and half truths and no defaults changing the risks I know about.

Note, I guarantee certain US organisations are loving the idea that large percentages of worldwide DNS might go to a small number of American companies. Those companies will be receiving little letters and they WILL be forced to silently comply.

Oh and in the general case did anyone weigh up total privacy. That is does this decrease security by removing visibility of bad things such that the likelihood of data breaches and thus privacy invasion is in total far worse than it was before creating the DoH protocol?


From: Doh <> on behalf of Eric Rescorla <>
Sent: Friday, March 22, 2019 8:35 am
To: Vittorio Bertola
Cc: dnsop; DoH WG; Christian Huitema; Wes Hardaker
Subject: [EXTERNAL] Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

On Fri, Mar 22, 2019 at 12:53 AM Vittorio Bertola <<>> wrote:

> Il 22 marzo 2019 alle 4.40 Christian Huitema <<>> ha scritto:
> Much of the debate is on the second point. One position is that users should be forced to trust the DNS resolver provided by the local infrastructure. Another position is that users have the right to apply their own policy and decide which server they will trust, based on some configuration.

I think this is a mischaracterization of the debate, which actually started because of a third position that you don't mention: Mozilla's public statement that in the future they will force (or, at least, make as a default - clarification requests haven't solved the doubt yet) Firefox users to use a remote resolver chosen within a shortlist that they will manage.

I'm not sure where you have attempted to clarify this point (I think we've been clear on this point at<>)

Regardless of what the default is, users will be able to disable DoH.


This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by sending them to as attachments. Thank you

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD