Re: [Doh] [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients

Paul Vixie <> Tue, 12 March 2019 19:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E7915131109; Tue, 12 Mar 2019 12:56:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nrT6Ev9FdKmp; Tue, 12 Mar 2019 12:56:31 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B4CF2130E67; Tue, 12 Mar 2019 12:56:31 -0700 (PDT)
Received: from linux-9daj.localnet ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 6EA15892C6; Tue, 12 Mar 2019 19:56:31 +0000 (UTC)
From: Paul Vixie <>
To: Christian Huitema <>
Cc:, Eric Rescorla <>, "" <>, "Ackermann, Michael" <>, "Konda, Tirumaleswar Reddy" <>, nalini elkins <>, "" <>, Vittorio Bertola <>, Stephen Farrell <>
Date: Tue, 12 Mar 2019 19:56:30 +0000
Message-ID: <1709670.IeiIJmgblr@linux-9daj>
Organization: Vixie Freehold
In-Reply-To: <>
References: <> <4935758.NkxX2Kjbm0@linux-9daj> <>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <>
X-Mailman-Approved-At: Tue, 12 Mar 2019 13:51:26 -0700
Subject: Re: [Doh] [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Mar 2019 19:56:33 -0000

On Tuesday, 12 March 2019 18:56:05 UTC Christian Huitema wrote:
> On 3/12/2019 11:35 AM, Paul Vixie wrote:
> > if someone is concerned that some of the web sites
> > reachable through some CDN are dangerous...
> Paul, who is this someone?

a network operator.

> How do they decide? What does dangerous mean?

that's a local policy matter, not subject to standardization, thus off-topic 

> These questions are very much behind the tension we see today. And the
> answers are not as black and white as "this is my network, I get to decide".

if it is my network, i get to decide. that's what i told spammers when i 
started the first anti-spam company (MAPS) and co-invented the first 
distributed reputation protocol (RBL), 23 years ago. it remains true today.

my network, my rules. don't like my rules? use a different network.

> For example, users routinely delegate the filtering decision to some
> kind of security software running on their device, often with support
> from some cloud based service. They are making an explicit decision, and
> often use menu options to decide what type of site is OK or not --
> adults would probably not subscribe to parental control services. There
> is a market for these products, they compete based on reputation, ease
> of use, etc.
> You are saying that whoever happens to control part of the network path
> is entitled to override the user choices and impose their own. Really?

no. not really. not at all. because, as before, you are claiming to restate my 
position, but doing so erroneously.

> As Stephane wrote, that may be legit in some circumstances, but much
> more questionable in others, such as a hotel Wi-Fi attempting to decide
> what sites I could or could not access. It really is a tussle.

i don't like the chinese government's rules for the great firewall. so, i keep 
my visits to that otherwise-great country short. this hurts me, and maybe 
hurts them also. but, it's their country, and i will obey their laws when i am 
using their network. and then i'll vote with my feet, to get to a better 
network with better rules. i once traveled to HK for a weekend between two 
week-long conferences behind the GFW, just so i could get work done.

if you visit my home or office, you will either use my offered RDNS, or you 
will use an authorized VPN. so, beware. those are the rules. if you want 
different rules, use a different network.