David Conrad wrote:
Vittorio,
...
Perhaps I’m misunderstanding: are you saying the folks who provide
resolution services in a DoH world would have incentive to not follow
basic security measures?
noting that i am not vittorio, i will punch in as follows.
i do not expect CF to block resolution of its free-tier of CDN
pseudo-customers; if they thought those folks didn't deserve DNS, they
would probably think they didn't deserve CDN services either.
i block quite a few free-tier CF CDN pseudo-customers here, because that
service tier is widely abused. since the addresses associated with these
low-value pseudo-customers are shared by their paying customers, i can't
block them at the IP layer. so i block them using DNS RPZ. (i do not
publish this RPZ because in 1997 or so i got tired of lawsuits.)
anyhow, this is but one of many reasons why i don't want control-plane
information injected into my network, bypassing my security perimeter.
while CF is a special case, the general case is where my policies are
aligned somewhat differently than the user's policies or the content
provider's policies or the "public DoH" server operator's policies.
my network, my rules. one rule is, no bot-on-bot violence in my house.
--
P Vixie
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
