On Wed, Mar 13, 2019 at 12:18 PM Christian Huitema <huit...@huitema.net> wrote:
> But then, if the user has not opted in such system, it would be nice if > the ISP refrained from interfering with name resolution for that user. How > do we achieve those two goals in practice? > > -- Christian Huitema > Even that starting point is not accurate or correct, IMHO, at least for scope, or whether/how any given DoH implementation interacts with the user(s). Jason was suggesting that there are (or at least may be) multiple levels of ISP and/or Enterprise and/or controlled (parental) stuff; those might nest with no "naked" root (unfiltered) depending on the particular ISP, or mandated legal thing, or "public" offering doing anything questionable. Notwithstanding any desire to have users use DoH to arbitrary endpoints, in some environments (enterprises) or regulatory environments (western countries which have different restrictions on legal contracts and user acceptance stuff. This means that it is NOT the case that EVERY potential deployment environment is going to be compatible with a DoH client that bypasses any controls that might be present, without violating laws, contracts, or other controlling limitations. The starting place for the conversation needs to acknowledge this, and accommodate it. It is entirely possible that a DoH client that doesn't do a minimum level of getting user acknowledgement before violating policies, laws, or contracts, might itself be illegal in some jurisdictions (jurisdictions that could include some US states, some western countries, some larger entities like EU, etc.). This is not to say it isn't going to be the case that users can't "force" some kind of DoH-like thing, only that it needs to be under some kind of affirmative control, where a user makes an informed decision with some kind of explicit understanding/acknowledgement. It probably would be advisable for DoH implementations to NOT make that explicit acknowledgement externally visible to e.g. authoritarian regimes, but that is stuff to discuss/explore, i.e. it's an open question. It would be very helpful for moving the conversation forward if the DoH proponents could start with acknowledging this set of legal/contractual issues, and that any kind of DoH client that just automatically does stuff that bypasses any mechanisms to restrict DNS, likely isn't known to be compliant with all laws in all jurisdiction (and probably would be problematic, at a minimum). Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
