[dns-operations] charter, sitefinder, opendns (slashdot today)

[Paul Vixie]

> We all (including Paul) know that DNS over HTTP/S is not the real 
> solution.  These are layer-8 issues.

agreed.

> > If you need a tunnel for DNS, you need a tunnel for everything else.   

> This is true.  This is the exact point I made that if we force things to 
> the ridiculousness of being on port 80 or 443 then we are in a far worse 
> boat.

this is debateable.  lots of routing domains intercept outbound by transport.
for example, transparent web caching, or hotel ethernet DNS, or smtp rate
limiting.  relatively few will try to intercept https (high hassle-factor).

i use vpn-ish tricks when using hotel room ethernets, or public wireless,
but only to protect my dns and smtp transactions.  i'm willing to pay the
extra hop and source my hotel room dns and smtp traffic from my house...
but for web or media traffic, i want to source it from the hotel room.
(sometimes i'm even grateful for the transparent web cache, but even in
the more common case, i'm grateful that i don't have to pay the performance
penalty of dragging everything to my house first and then pumping it over
the VPN.)

so, i'm a case in point, i need a tunnel for dns, but not everything else.

> > If you don't need a tunnel for everything else, you don't need a  
> > tunnel for DNS, either.
> 
> This is not true.  ISPs are actively considering blocking 53 and no 
> rationale for that exists.

i think they have a rationale.  maybe they want to make money fast.  or
maybe they want the dns transactions to go through a bothunting IDS.

> Historically, and not for better, but for worse, irrational actions 
> generate irrational responses.
> 
> Let's not let that happen.

i've been standing in the water up to my waist trying to hold back that tide.
so, i'm not sure what you mean by "not let".