Hi, thanks for comments. This draft has little to do with DoH (the primary focus is DoT), and its comparison to other technologies. It's about network operator being able to advertise that its recursive server supports DNS on more than just port 53. Please let's stay at least a bit on topic.
Marek On Sat, Aug 18, 2018 at 2:46 PM, Paul Vixie <p...@redbarn.org> wrote: > > > Ted Lemon wrote: >> >> DHCP authentication doesn't exist. We already rejected a draft that >> described how to set up DoH with DHCP. Yours is a little more >> complicated, but doesn't seem any less dangerous. Before you go any >> farther on this, you might ask yourself a couple of questions: >> >> 1. Why is DoH being used? >> 2. What is the thread model that DoH is addressing? >> 3 How does adding this configuration mechanism impact DoH's ability to >> address that threat model? > > > the DoH use case is for web users and web apps who do not trust their > network operator and who are not trusted by their network operator, so it's > a policies-in-the-night model where data can be imported from The Web > without approval or permission or control or observability by a network > operator. it is in other words a thin DNS-only way to do what Tor does. > > as a network operator, i oppose this thinking. i predict a long war in which > web users and apps who want to use DoH to reach an external DNS resolver > will be treated as attackers, and either banned or blocked. in some parts of > the world such use will be illegal and even punishable, much as Tor is > today. > > this is what happened after edward snowden flew to hong kong: the pendulum > swung so far the other way that many of us saw only absurdity. > > the possibility that large CDN operators will colo a DOH endpoint with their > high-value hosting, in order to discourage network operators from blocking > it, raises the stakes. _i_ will block it. most corporate networks will block > it in some form. some countries will block it. no DNS content will enter my > network without having passed through my RPZ rules. if a CDN operator wants > to play "chicken", i guess that we will. > > -- > P Vixie > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
