Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Jared Mauch <> Wed, 20 March 2019 01:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 90024128DFF; Tue, 19 Mar 2019 18:14:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N_nIqWpntjOF; Tue, 19 Mar 2019 18:14:03 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1521B1277E7; Tue, 19 Mar 2019 18:14:03 -0700 (PDT)
Received: from [IPv6:2603:3015:3606:cbe1:cd14:2c86:15f5:ed4e] (unknown [IPv6:2603:3015:3606:cbe1:cd14:2c86:15f5:ed4e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 79018540EE9; Tue, 19 Mar 2019 21:14:00 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Jared Mauch <>
In-Reply-To: <>
Date: Tue, 19 Mar 2019 21:13:59 -0400
Cc: Ted Hardie <>, paul vixie <>, dnsop <>, DoH WG <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <3457266.o2ixm6i3xM@linux-9daj> <> <1914607.BasjITR8KA@linux-9daj> <> <>
To: Michael Sinatra <>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Mar 2019 01:14:04 -0000

> On Mar 12, 2019, at 5:52 PM, Michael Sinatra <> wrote:
> [1] As an example, I am personally and practically opposed to inline TLS
> decryption in most enterprises.  DoH gives further ammo for security
> folks to insist on inline TLS decryption, IMO.  DoT, not as much, since
> the protocol can be easily identified on the wire and any necessary
> actions taken.  Manipulating DoT transactions is a far cry from
> manipulating/decrypting all TLS...

My impression is there are people who will not be satisfied until all traffic looks
identical and you have zero way to protect your home, enterprise or similar.  (The lack
of protection is a side-effect, not a design criteria of making it harder to detect
variation in endpoint behavior)

I don’t support efforts to offer standards that make everything look the same when
they are not the same.

Next someone is going to show up in IDR saying how we must TLS all the routing data
because reasons.  

- Jared