Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

神明達哉 <> Wed, 20 March 2019 18:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0A32F130F25; Wed, 20 Mar 2019 11:40:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.669
X-Spam-Status: No, score=-0.669 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cwhP6RjKhrlw; Wed, 20 Mar 2019 11:40:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EB6EB1200B3; Wed, 20 Mar 2019 11:40:10 -0700 (PDT)
Received: by with SMTP id a184so274153wma.2; Wed, 20 Mar 2019 11:40:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rQ3kdgZuenk4U0DtAD9p8rEVK9qsyMgYZ/0Ux2nfnxw=; b=a6wSIlC8YridIDdpGNLPUCE4IaIHSjhrCLhk63H9bt+sKt/sorvgIUMfTQGWIv+5T7 SPN/sUYfXVZpu7qoojRrejpo794KKWqbRuXlyePeHjAP1lXqpaIRhi/Top68moVBJLnf /F7bVNZ+n+e6RlEKLHT3EtaIipG8bic7yz4hmpuvvY3B8WOdZOkNnSre4C4wfgfFDB/Q ud/ab1SL5vmxjXnoBhrxMTEjgZkOP7A/N38O8+PmpP+e9TUxl7uoMetOrnIVIrF1ztqX Oq0G4kXSWLMqnO3TgktKgtJJWDoHa9JsLC41+D1lk3XbM3m8yMSV+aXbQfsjJE1YrfZS QB8g==
X-Gm-Message-State: APjAAAUGUgWbqwNfTCAqv89aq/GE/Klgk0RrpjIU2fzR6Jbc7R7530+7 Asg7X6qjuukxsu8zZPIrQP8inYTdRFe3oOtxCKk=
X-Google-Smtp-Source: APXvYqzLoP6avYU7dtXPqxn0I7GBz+AmBmjnH/leoaEzJj++2hHAGa+0wsPjCPlqpGsPUq7RUIPiAXCeLgMhc7TYK7o=
X-Received: by 2002:a1c:4641:: with SMTP id t62mr9767076wma.53.1553107209255; Wed, 20 Mar 2019 11:40:09 -0700 (PDT)
MIME-Version: 1.0
References: <> <3457266.o2ixm6i3xM@linux-9daj> <> <1914607.BasjITR8KA@linux-9daj> <> <> <> <> <> <> <>
In-Reply-To: <>
From: 神明達哉 <>
Date: Wed, 20 Mar 2019 11:39:57 -0700
Message-ID: <>
To: Joe Abley <>
Cc: Jared Mauch <>, Ted Hardie <>, DoH WG <>, Brian Dickson <>, dnsop <>, paul vixie <>, Michael Sinatra <>, Stephen Farrell <>
Content-Type: multipart/alternative; boundary="00000000000081802a05848af30c"
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Mar 2019 18:40:13 -0000

At Wed, 20 Mar 2019 12:38:05 +0100,
Joe Abley <> wrote:

> > Often as an industry we may discuss various solutions that are great
for oneself but don’t scale when looking at the big picture.
> I think what we are seeing is the fundamental tension between privacy and
control. You need to give up some privacy in order to make the control
possible; you need to give up some control in order to afford privacy.

> Some in this thread want certainty that they are able to exercise
control, e.g. for devices in their network.

> Some in this thread want certainty that they can obtain privacy, e.g. for
for their device in any network.


Thank you for the nice, concise summary.  I think it's well-balanced
observation of where we are.  (I'm so glad I can finally see a
constructive post after seeing a common pattern of boring IETF
discussion, where people with different opinions just keep stating
their views without making any real progress:).

> Seems to me that there's a middle ground within sight here.
> Standardise this privacy mechanism, and specify (with reasoning) that it
should be implemented such that the existence of the channel (but not the
content) can be identified as distinct from other traffic by third parties.
Maybe specify use of a different port number, as was done with DoT.

I see that those who want to exercise control can live with this (or
at least using a different set of IP addresses for DoH servers than
those for other ordinary web services).  But I'm not so sure if that's
acceptable for the other group.  In that sense I'm curious whether
some big possible DoH providers are now willing to accept this middle
ground.  If my memory is correct the longer term plan at Google (and
maybe also Clouldflare?) is to provide DoH service on the same IP
addresses as those for other ordinary and popular web services (and on
port 443, of course), so that an intermediate operator cannot easily
block access to their DoH services.

> Those who choose to ignore that direction and create a covert channel
using port 443 instead will do so. Nothing much we can do to stop that
today (I guarantee it is already happening). The future is not really

True.  But I think giant providers tend to respect a community
consensus.  Niche or really malicious players may/will still ignore
it, but it would be very difficult for them to collocate their DoH
services with other important web services that can hardly be blocked,
so it shouldn't be a big problem for "those who want certainty of
control".  So if we can really agree on the above "middle ground" and
publish a BCP or something that describes the consensus, I guess we
can now really work on technical issues.  But I'm not sure if we can
reach that consensus.

JINMEI, Tatuya