(Apologies for top-replying) I think, from squinting at this a bit, that what is missing is some kind of policy/service discovery, and coming to some kind of agreement (between DNSOP and DOH, and any/all other interested parties) on what default behavior should be (and under what conditions/circumstances), e.g. with respect to opt-in vs opt-out.
E.g. If the local network operator is giving out addresses using DHCP or the equivalent, then the presence/absence of DNS options in the answers, should to some degree dictate (permitted) behavior. And similarly, having some kind of DoH signaling incorporated in the DHCP options, would be a sensible analogous mechanism. E.g. "I will allow you to request DoH using providers X, Y, and Z, but insist on being a MITM for those connections", or "Go ahead and do DoH to any of these providers X, Y, Z, but no others", or "DoH is prohibited here, use DNS", or "You can use DoT to these providers, DoH with me as MITM, or this DNS resolver, but you can't run your own resolver". Not sure what other mechanisms might be worth considering as alternatives (dns-sd of some flavor)... The mechanisms definitely to be a lot cleaner, more transparent, and configurable, for both clients, network operators, and possibly DoT/DoH operators. (Did we learn nothing from the dial-up ISP early days, with mailing out physical CD ROMs with phone numbers in lists and browsers included?) Brian On Sun, Mar 10, 2019 at 11:17 PM Paul Vixie <p...@redbarn.org> wrote: > > > Christian Huitema wrote on 2019-03-10 23:05: > > On 3/10/2019 10:24 PM, Paul Vixie wrote: > > > >> if you are using my network, then it makes no difference which of us > >> bought you that laptop. you will use the RDNS i allow you to use. RDNS > >> is part of the control plane, and i use it for both monitoring and > >> control. sometimes that's so that i can see malware beacon to its C&C. > >> sometimes that's so that i can institute parental controls. > >> > >> if you don't like my rules, you should vote with your feet, and not > >> visit me. because that is the only choice you will have. (yes, i will > >> be part of a major new project to identify and block all DoH services, > >> so that behavioural security policies can still work, because you may > >> have noticed that the internet has never become MORE secure from new > >> tech, but it occasionally becomes LESS secure more slowly because of > >> policy.) > > > > > > "Use a VPN, or use the local defaults". > > that is not what i said. > > > Well, there are plenty of > > in-between. > > yes, and i gave examples. > > see above. > > > You claim the right to impose your rules, because it is "your network". > > Yet you have to define ownership. You are providing network services > > under some contractual terms. There are cases where an imperial network > > can dictate those terms, but there are also many cases in which the > > contractual power of the network is limited -- thinks like fair access, > > network neutrality, etc. Just claiming an empire does not automatically > > make you the emperor. > > my network, my rules. your provider's network, their rules. they are > more likely to have to follow their government's laws of commerce and > privacy than i am likely to have to follow mine. but if the rules your > network operator can make allow you to do what you want, use that > network. that's invariant, for all networks, and for all instances of you. > > -- > P Vixie > > _______________________________________________ > dns-privacy mailing list > dns-priv...@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
