Warren Kumari wrote on 2019-03-09 22:48:
[ + DNSOP]
...
I think it would be very valuable to not conflate DNS-over-HTTPS (the
protocol) with the "applications might choose to use their own
resolvers" concerns.
i disagree. as an example:
Two primary use cases were considered during this protocol's
development. These use cases are preventing on-path devices from
interfering with DNS operations, ...
(from the Introduction of RFC 8484.)
no other off-network RDNS is reachable by malware which somehow gets
into my network, or BYOD devices that have a coffee-shop configuration,
or any other rogue purpose which is at odds with me as the operator of
"on-path devices". i intend to interfere. DoH turns traditional rules on
their head, and does so _deliberately_.
if the authors of DoH don't want to be lumped in with the "apps
(malware) that might choose to use their own resolvers" then they ought
to have designed it to work in concern with local network policy. in
other words, make it blockable. by explicitly and aggressively taking
the position they took, they own the followup, including the Reid draft.
i have been away as long as possible, which means i was surprised that
the IESG was willing to allow a document to standardize hostility
between me as a parent and my children who are subject to my parental
controls technology, and between me as a network operator and malware
authors who can't succeed without bypassing my DNS servers.
but, the cat is out of the bag now, and it's going to be pretty messy.
please do not blame that mess on jim reid or on his draft.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
