Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-reid-doh-operator

Eliot Lear <> Mon, 25 March 2019 09:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 927B212037A; Mon, 25 Mar 2019 02:13:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VT3LwfdyDkdb; Mon, 25 Mar 2019 02:13:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 87D92120373; Mon, 25 Mar 2019 02:13:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=8296; q=dns/txt; s=iport; t=1553505211; x=1554714811; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=a5qltXFEsDR0GCudOaGKTeQ4R+g8tE94uwwkzqs/vEg=; b=VC/n2gi6VRNKn/zgjKyD2RPtYS5dS+eCzlDN20p6xwgrs8KL9/AcgYZD u6ukqi3YK1ayVoiYMhtETxHhFBGpDCwZogzlfe+aAcQggubM/BvBwhYVK dgd3HNF+PoAHOl6huRC06iCVCL1tmZYfJ0I7owAI/4FPK0tCIuVisWX3F k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos; i="5.60,256,1549929600"; d="scan'208,217"; a="10947978"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 25 Mar 2019 09:13:29 +0000
Received: from ( []) by (8.15.2/8.15.2) with ESMTPS id x2P9DS9S000568 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 25 Mar 2019 09:13:29 GMT
From: Eliot Lear <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A25614EC-1899-461C-8161-E383A17F86A6"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Mon, 25 Mar 2019 10:13:28 +0100
In-Reply-To: <>
Cc: Brian Dickson <>, "" <>, "" <>
To: Paul Wouters <>
References: <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <>
Subject: Re: [Doh] [DNSOP] [EXTERNAL] Re: New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Mar 2019 09:13:33 -0000


> On 24 Mar 2019, at 23:25, Paul Wouters <> wrote:
>> The blocking of DoT to a given provider should be interpreted as an explicit policy. Users should be informed
>> that they may, and very likely will, be violating someone’s policy, if they choose to use DoH in that
>> circumstance, and that they may be violating laws by doing so, and should only do so if they are willing to
>> accept that risk.
> Again, this is the network operator centric view. There are many hostile
> networks that would block DoT just so that they could monetize (legally
> or illegally!) from my harvested DNS data. I can assure you the warning
> you want to write to users would be very different from the warning I
> would want to give those users. Which is why the IETF doesn't do
> banners towards endusers.

Putting aside legal language, but Brian’s basic notion is that the user can make an informed decision and the network can express its policies, with which the user can agree or not agree (and go elsewhere).  Having the protocol elements to permit this sort of agreement is its own tussle.