This has been an excellent discussion, with lots of insightful analysis,
examples, and great context.
I apologize in advance, but I'd like to pick one particular sentence, to
use for teasing out what I think is a foundational issue:
On Fri, Mar 15, 2019 at 11:37 AM Ted Hardie <ted.i...@gmail.com> wrote:
>
> This is certainly not the case for all deployments of DoH.
>
>
This is where the distinction between, for example, "normative" vs
"informative" are important terms.
What I think we (the larger "we" in these threads) need to settle, is what
should be the rules (aka "protocol") for what we want or need ALL
deployments of DoH to do; or how they do what they do; or how users control
what the clients do; or how network operators (last mile or otherwise) can
influence/control what DNS protocols and operators can be used.
Some of the issues might be how users are able to know the identities of
DNS operators (e.g. certs for DoT or DoH); how services are offered,
selected, configured, and possibly restricted; and what
jurisdictional/regulatory/legal environments might be applicable to any of
the parties involved.
It's definitely a non-trivial issue, but it needs to be handled in a
comprehensive, cooperative, and inclusive manner.
My preference would be that no DoH operators, or client software, be
deployed in a manner that is deliberately ignorant of or in violation of
policies and laws, even if there may be some particular use cases where no
laws or policies are violated by a particular set of {operator,client}
pairs.
Yes, there may be large swaths of jurisdictions vs users where
non-cooperative operation is necessary. I would (and I believe a
consensus-level of individuals involved in DNS would) prefer that those
modes are only engaged where strictly necessary, and that to the greatest
degree possible, client and operator implementations are able to recognize
when they are not in those particular places/networks, and block hostile
operation (to prevent exploitation by e.g. malware).
I'm glad we at least have these options now.
Lets work together to ensure the best outcomes are achieved, and that we
avoid situations where "camps" cannot find a middle ground.
Brian
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
