> On Aug 21, 2018, at 2:54 PM, Paul Vixie <[email protected]> wrote: > > > > David Conrad wrote: >> Vittorio, >> >> ... >> >> Perhaps I’m misunderstanding: are you saying the folks who provide >> resolution services in a DoH world would have incentive to not follow >> basic security measures? > > noting that i am not vittorio, i will punch in as follows. > > i do not expect CF to block resolution of its free-tier of CDN > pseudo-customers; if they thought those folks didn't deserve DNS, they would > probably think they didn't deserve CDN services either. > > i block quite a few free-tier CF CDN pseudo-customers here, because that > service tier is widely abused. since the addresses associated with these > low-value pseudo-customers are shared by their paying customers, i can't > block them at the IP layer. so i block them using DNS RPZ. (i do not publish > this RPZ because in 1997 or so i got tired of lawsuits.) > > anyhow, this is but one of many reasons why i don't want control-plane > information injected into my network, bypassing my security perimeter. while > CF is a special case, the general case is where my policies are aligned > somewhat differently than the user's policies or the content provider's > policies or the "public DoH" server operator's policies. > > my network, my rules. one rule is, no bot-on-bot violence in my house. > > -- > P Vixie
Ok, so as Vladimír said, getting back to DHCP… 1. You obviously don’t need a DoH URI option for DHCP. 2. You’re comfortable with DNS over UDP/53 as long as DNS Cookies are present and using the existing DHCP DNS options 3. You seem happy with the Android approach of just trying DoT with the IP address learned via standard DHCP DNS options Why do you care about additional DHCP options? Thanks, Tom _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
