How will you block it? On Sat, Aug 18, 2018 at 5:46 PM, Paul Vixie <p...@redbarn.org> wrote:
> > > Ted Lemon wrote: > >> DHCP authentication doesn't exist. We already rejected a draft that >> described how to set up DoH with DHCP. Yours is a little more >> complicated, but doesn't seem any less dangerous. Before you go any >> farther on this, you might ask yourself a couple of questions: >> >> 1. Why is DoH being used? >> 2. What is the thread model that DoH is addressing? >> 3 How does adding this configuration mechanism impact DoH's ability to >> address that threat model? >> > > the DoH use case is for web users and web apps who do not trust their > network operator and who are not trusted by their network operator, so it's > a policies-in-the-night model where data can be imported from The Web > without approval or permission or control or observability by a network > operator. it is in other words a thin DNS-only way to do what Tor does. > > as a network operator, i oppose this thinking. i predict a long war in > which web users and apps who want to use DoH to reach an external DNS > resolver will be treated as attackers, and either banned or blocked. in > some parts of the world such use will be illegal and even punishable, much > as Tor is today. > > this is what happened after edward snowden flew to hong kong: the pendulum > swung so far the other way that many of us saw only absurdity. > > the possibility that large CDN operators will colo a DOH endpoint with > their high-value hosting, in order to discourage network operators from > blocking it, raises the stakes. _i_ will block it. most corporate networks > will block it in some form. some countries will block it. no DNS content > will enter my network without having passed through my RPZ rules. if a CDN > operator wants to play "chicken", i guess that we will. > > -- > P Vixie > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
