> Il 20 agosto 2018 alle 18.51 Ted Lemon <mel...@fugue.com> ha scritto: > > > > So I cannot immediately recall cases in which a network operator in Europe > > is filtering out things that a user wants and can lawfully access. But you > > mention that your network operator is spoofing the DNS and stifling your > > freedom of expression, so I guess it is censoring legitimate websites - > > this is bad, of course, but can you tell me which operator, and which > > websites? It would help my understanding of your use case. > > No, it's not bad. It's the service they offer, and it's fine that they > offer it. I think it's the right default. It's also fine that I choose to > bypass it.
If I got it well, what you are trying to bypass is your ISP's security filter that prevents you from connecting to malware or to illegal content (e.g. intellectual property violations and the likes). I also imagine that your ISP is doing some transparent proxying/scanning so that you cannot simply bypass this filter by configuring a different resolver in your OS, right? (which, by the way, is the simple solution to your problem that is already available and widely used across the world - see the famous picture of people painting 8.8.8.8 on walls in Turkey) If so, I can accept your use case: a smart user, knowing what he is doing, does not want anyone else to sanitize his queries for him. But I don't see why the best solution to your use case - which is quite a minority case, though easily overrepresented in a technical environment - is to build a sort of "nuclear bomb" protocol that, if widely adopted, will destroy most of the existing practices in the DNS "ecosystem" (I'm using the word that was being used at ICANN's DNS Symposium in Montreal), including the basic security measures that protect the 99.9% of the users who are not technically smart. Perhaps it would have been enough for you to have a discussion with your ISP and get them to give you an opt-out, which is entirely possible with today's DNS filtering techniques - or to just change to another ISP. Anyway, this looks to me a lot like a policy issue, rather than a technical one; and the more I get into this discussion, the more DoH looks like "the IETF against the world's governments and ISPs" - not a good thing, IMHO. > Yes, and if we come up with a solution that allows both situations to be > securely communicated to the end user device, and allows the end user to make > an informed decision about whether or not to use the service with these > restrictions in place, I'm okay with that, and I think it's appropriate for > the IETF to do it. What I am arguing is that we should actually describe > how to do that, and not just hack together a solution without thinking about > that. I would be fine with this approach and happy to work on it, as long as there is an agreement by the DoH/browsers community that DoH will not be deployed to the general public until this missing piece is completed and implemented. Otherwise it would just be a waste of time. Regards, -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bert...@open-xchange.com Office @ Via Treviso 12, 10144 Torino, Italy _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop