On Mon, Aug 20, 2018 at 12:57 PM, Paul Vixie <[email protected]> wrote:
> > Il 20 agosto 2018 alle 17.55 Ted Lemon<[email protected]> ha >>> scritto: >>> >>> I am entirely within my rights to use DoH whether the network >>> operator likes it or not. >>> >> > so, their network, but not their rules? when spammers used to tell me that > sending spam wasn't illegal and i had to accept it, i blackholed them and > said, my network, my rules. who has what rights, and why? Paul, take a deep breath. I'm paying for my network service. My ISP does not require me to use their DNS resolvers. U.S. law does not require me to use their DNS resolvers. So yes, I am perfectly within my rights to not use their DNS resolvers, but the reason is not "their network, my rules." It is that there's no rule against doing it. > It is certainly true that in some cases, someone using DoH would be >>> violating a network operator policy that is enforceable, or would >>> be violating the law. But that is by no means the most common >>> case, and it does you no credit to pretend otherwise. >>> >> > some references i've seen go by in this thread indicate that the DoH team > wants its protocol to be unblockable, and hopes that RDNS DOH providers > will co-locate their DOH endpoints with other valuable content, "so that > network operators will think twice about blocking it." > I think the DoH team is not quite as cohesive as you think it is, but yes, that is one implication of the use of DoH. If you find it problematic, then you need to get your end users to proxy all their HTTPS traffic through your HTTPS proxy. This will be really obvious to them, so you won't be able to do it without their agreement. This is by design. This situation has existed since HTTPS has existed—it's not something that DoH invented. You've always been able to use HTTPS to bypass firewalls; this has good uses and bad. Tough luck—see Figure One. :) if there are use cases beyond violating the law and violating network > operator security policy, then they are obviously secondary, but do tell-- > what do you think those might be? > Preventing user behavior tracking seems like a pretty valid use case. > i also block tor endpoints. because, my network, my rules. if it's going > to be my network but mozilla's or cloudflare's rules, then this > conversation is going to travel very differently, because i'll still be > paying for it, but it won't be _my_ network any more. would that sit well > with you? it wouldn't with me. If you think that Mozilla isn't trustworthy, don't use Firefox. It's all about trust. It's naive to think that you aren't going to have to trust someone; thinking about trust models is no longer optional for network operators.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
