> Il 22 novembre 2018 alle 17.26 Paul Hoffman < [email protected] > mailto:[email protected] > ha scritto: > > DoH did not suddenly allow browser vendors to do something new: they've > been able to do exactly what DoH is standardizing for more than 20 years. > Saying that the IETF is reducing the privacy is completely incorrect. What > the DoH standard did is make it so that browser vendors (and, to a much > smaller extent, web applications) could reach a larger variety of DNS servers > in a standardize way. > > If you want to prevent over-centralization of queries going to a small > number of large resolvers, you should be making it easier for resolver > operators of all sizes to become DoH servers. It looks like your company is > doing exactly that: thank you! > Well, we love privacy and user rights, so of course we are all in favour of that extra privacy that comes from encrypting your connection to the resolver - but you could get it without any need to put four global browser makers in charge of the decision on who resolves the names for at least 90% of the entire planet.
In my opinion, the only positive way forward from this situation would be that all ISPs deploy DoT and/or DoH on their front-end (and yes, as Ralf Weber is also noting, perhaps that would not even be so necessary for many smaller ISPs, as no one is spying on their last mile connections and the cost/benefit ratio of this deployment is terrible, but now they are basically forced to do so, lest be labeled as government cronies that endanger freedom of expression) and that browser makers commit to using the local resolver as a default and only use their own if the user makes an explicit choice for it. So this is what we are trying to make happen from our side, as one of the resolver software makers, but on the other side, this is not what Mozilla has said they will do. But even in this scenario, even if we had thousands of DoH servers around the world, I am afraid that the centralization would happen all the same, just thanks to the gatekeeper role over the DNS that DoH attributes to popular application makers. I am old enough to remember when Microsoft killed Netscape in a very short time, just by using their control of the operating system to make using Internet Explorer much easier. Nowadays the browsers are the operating system of the Internet for the average user, and they could easily prompt the user to use whatever service they want. > Please stop with the "IETF is disrupting" stuff. No one forces anyone to > use DoT or DoH. Both were features that the user communities asked for, and > the user communities will ask for changes when they get deployed. > Which user communities are you referring to? It doesn't look like there is much request for DoH in the ISP and DNS operator community - actually, I see more and more pushback. If you talk about the end-users of the Internet, where and when did they ask for this, and how many users actually want this? Because I am quite sympathetic with any dissident community under authoritarian regimes, but in Europe there currently are millions of end-users that use DNS-based security and parental control filters, for example. The ratio would be something like 10'000 people who happily and voluntarily ask their ISP to, as you say, "lie" on DNS queries (and will lose this service if their browser starts to direct their DNS queries somewhere else) for every dissident that absolutely needs Cloudflare to get all his DNS queries by default because he is planning to overthrow the government but does not know how to get into Firefox's preferences and manually set the name server to 1.1.1.1. Sorry if I am being sarcastic, but these DoH "pro user" claims sounds quite unrealistic to me, and just an excuse for business interests and more Silicon Valley data greediness - or, as a minimum, they reflect an incomplete, partial view of what users want. Regards, -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange [email protected] mailto:[email protected] Office @ Via Treviso 12, 10144 Torino, Italy
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
