[dns-operations] Bad ISPs, DoH and user choice (was Re: Can Root DNS server modify the response?)

Hellqvist, Björn bjorn.hellqvist at teliacompany.com
Mon Apr 1 14:33:37 UTC 2019


This might also be a violation of GDPR, where is specifically says that configuration options should be opt-in and with good explanation on each option. 

Also Cloud-based DoH might somewhat work in Consumer area, but in the Enterprise area there are a lot of zones that are either totally hidden or in split-views, where internal DNS resolvers are needed for specific data. It could also intentionally or unintentional, depending on which side you are on, leak internal data. This part is rarely mentioned when proposing DoH.

Bjorn Hellqvist
Senior System Expert (Internet, DNS & Automation)
Telia Company
Solna, Sweden

-----Original Message-----
From: dns-operations <dns-operations-bounces at dns-oarc.net> On Behalf Of Paul Vixie
Sent: den 1 april 2019 15:37
To: dns-operations at lists.dns-oarc.net
Subject: Re: [dns-operations] Bad ISPs, DoH and user choice (was Re: Can Root DNS server modify the response?)

David Conrad wrote on 2019-03-30 10:12:
> Vittorio,

i am not vittorio but i wish to insert one observation:

> What Mozilla has publicly stated they are doing (see
> https://mailarchive.ietf.org/arch/browse/doh/?gbt=1&index=HPTOUtziIYe_PFuawExeetkSjVg):
>      [...]
>      2. The user will be informed that we have enabled use of a TRR and
>      have the opportunity to turn it off at that time, but will not be
>      required to opt-in to get DoH with a TRR.
>      3. Any given client will automatically select a resolver out of that
>      set and use that for all resolutions [with the two exceptions noted
>      below.]
>      4. At any time, the user will have the option to select a
>      different resolver out of the list, specify their own resolver, or
>      disable DoH entirely.
>      [...]

this is opt-out. while i would protest opt-in, have done so, i find opt-out in this case to be a declaration of infowar by mozilla against whatever network operators they select for it. those network operators will most likely not acquiesce -- certainly in my case, i will fight.

P Vixie

dns-operations mailing list
dns-operations at lists.dns-oarc.net
dns-operations mailing list

More information about the dns-operations mailing list