Ted Lemon wrote:
DHCP authentication doesn't exist. We already rejected a draft that described how to set up DoH with DHCP. Yours is a little more complicated, but doesn't seem any less dangerous. Before you go any farther on this, you might ask yourself a couple of questions: 1. Why is DoH being used? 2. What is the thread model that DoH is addressing? 3 How does adding this configuration mechanism impact DoH's ability to address that threat model?
the DoH use case is for web users and web apps who do not trust their network operator and who are not trusted by their network operator, so it's a policies-in-the-night model where data can be imported from The Web without approval or permission or control or observability by a network operator. it is in other words a thin DNS-only way to do what Tor does.
as a network operator, i oppose this thinking. i predict a long war in which web users and apps who want to use DoH to reach an external DNS resolver will be treated as attackers, and either banned or blocked. in some parts of the world such use will be illegal and even punishable, much as Tor is today.
this is what happened after edward snowden flew to hong kong: the pendulum swung so far the other way that many of us saw only absurdity.
the possibility that large CDN operators will colo a DOH endpoint with their high-value hosting, in order to discourage network operators from blocking it, raises the stakes. _i_ will block it. most corporate networks will block it in some form. some countries will block it. no DNS content will enter my network without having passed through my RPZ rules. if a CDN operator wants to play "chicken", i guess that we will.
-- P Vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
