I think that you are whistling past the graveyard. If your firewall allows HTTPS without a proxy, then everything that DoH allows is already possible, and is probably already being done, because it's so obvious. If you disagree with me about this (and I can think of a few reasons why you might) then you should articulate what is possible with DoH that isn't already possible with HTTPS.
On Mon, Aug 20, 2018 at 2:11 PM, Paul Vixie <p...@redbarn.org> wrote: > > > Ted Lemon wrote: > ... > >> I think HTTPS was pretty hostile to local network policy. Indeed, >> there was a big argument about that in the TLS working group over the >> past few IETFs. If you don't want people to use DoH, there's an easy >> solution, which you already need to use regardless: you have to MiTM >> their HTTTPS traffic. If you don't agree that you have to MiTM their >> HTTPS traffic to achieve what you want, then I think we are not arguing >> about the same thing. >> > > it used to be occasionally necessary. with DOH it will be universally > nec'y. this will add complexity (so, cost and error rate) and increase > surveillance. the DOH people should be told not to proceed to draft > standard until their design accommodates the needs of network operators. > > -- > P Vixie > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
