[dns-operations] Can Root DNS server modify the response?

David Conrad drc at virtualized.org
Fri Mar 29 15:38:47 UTC 2019


Paul,

On Mar 29, 2019, at 1:43 AM, Paul Vixie <paul at redbarn.org> wrote:
> fwiw, your analogy hit home with me. as a network operator for both my family and my company, i resent being lumped in with oppressive regimes when members of the web community are trying to decide what DNS control plane bypasses to offer.

Wait. The person who co-created MAPS and co-authored RPZ that allows for the blocking of entire TLDs is unhappy because he’s being lumped in with groups he has no relationship with?

> i find the ietf's post-snowden consensus on enshrining rights for all end users including bots, malware, intruders, poisoned supply chains, and unruly teenagers at home, at the expense of every right (and responsibility!) of network operators to be naive knee jerkism, unhelpful, and disrespectful.


Another point of view is that in the end-to-end model, the post-Snowden approach the IETF has decided to pursue is returning the rights to the end users stolen by network operators and pervasive surviellers.

DOH is an unsurprising outcome of an understanding that the underlying network shouldn’t be trusted. You are, as is your right as a network operator, asserting that if I connect to your network, I must trust your network. As such, I should be willing to install your cert to allow for DPI on HTTPS connections. If you feel the cost of doing this is too high, perhaps you should charge me for connecting to your network?

And to be clear, this isn’t a situation I’m happy with. It is, however, a natural outcome of lying DNS servers, monetization of passive DNS collection, pervasive surveillance, etc.

Regards,
-drc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190329/69a51b50/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190329/69a51b50/attachment.sig>


More information about the dns-operations mailing list