On Monday, 11 March 2019 18:18:38 UTC Eliot Lear wrote: ... > > i wonder if everyone here knows that TLS 1.3 and encrypted headers is > > going to push a SOCKS agenda onto enterprises that had not previously > > needed one, and that simply blocking every external endpoint known or > > tested to support DoH will be the cheaper alternative, even if that makes > > millions of other endpoints at google, cloudflare, cisco, and ibm > > unreachable as a side effect? > > That or it will require a bit more management at the MDM level. I’m hoping > the latter. And I hope that one output of all of these documents will be a > recommendation regarding MDM interfaces.
MDM is a cooperation protocol. that is, both the operator and the app or user have to want data management to be be mastered (DM to be M, so, MDM). this is off-topic for DoH, which seeks to prevent on-path interference with DNS operations. that is, someone or something using DoH cannot be expected to seek cooperation with the network operator. teenagers and malware being two easy examples. BYOD being another. pre-DoH, it was possible to ensure that noncompliance with MDM would yield failures. that is, disallowing outbound 53 and 853 except from the operator's own name servers. post-DoH, such enforcement is (deliberately) impossible. can we therefore please stop talking about MDM here. vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
