> If I got it well, what you are trying to bypass is your ISP's > security filter that prevents you from connecting to malware or to > illegal content (e.g. intellectual property violations and the > likes).
As a user, I think there is little reason to trust an ISP. If you take a mobile device, do you trust every hotel, bar, etc. where you may connect to the wifi? Are they all competent? Are you sure none of them will violate your privacy? If you have only a few ISPs to chose from, do you trust that ISP? There are many ISPs that try to do the right thing for their customers. There are quite a few ISPs that have court orders to do things that go against the interests of their customers. And the are quite a few ISPs that are positively evil. You need to have options in case you can't trust the ISP. > build a sort of "nuclear bomb" protocol > that, if widely adopted, will destroy most of the existing practices > in the DNS "ecosystem" There is no reason why DoH has to be deployed as a 'nuclear bomb'. Hosts can still default to using the resolvers offered by DHCP only switching to public resolvers when directed by the user. The big difference is that when the user does decide to bypass the ISP's resolvers, there will be no way for the ISP to interfere. Of course, an ISP can still try to block encrypted access to 8.8.8.8, etc. Ultimately, that may result in users routing their requests over tor. In areas with netneutrality laws, blocking access to public resolvers is probably not an option. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop