[dns-operations] Can Root DNS server modify the response?

Paul Vixie paul at redbarn.org
Fri Mar 29 16:48:14 UTC 2019 

the subject is wrong for this part of the thread.

David Conrad wrote on 2019-03-29 08:38:
> Paul,
> 
> On Mar 29, 2019, at 1:43 AM, Paul Vixie <paul at redbarn.org 
> <mailto:paul at redbarn.org>> wrote:
>> fwiw, your analogy hit home with me. as a network operator for both my 
>> family and my company, i resent being lumped in with oppressive 
>> regimes when members of the web community are trying to decide what 
>> DNS control plane bypasses to offer. 
> 
> Wait. The person who co-created MAPS and co-authored RPZ that allows for 
> the blocking of entire TLDs is unhappy because he’s being lumped in with 
> groups he has no relationship with?

yes. i think you must think that customers of blacklisted providers have 
no relationship with those providers. that's strange, because their 
relationship is, one is a customer of the other. also, each has 
choices, and, those choices are not conjoined.

>> i find the ietf's post-snowden consensus on enshrining rights for all 
>> end users including bots, malware, intruders, poisoned supply chains, 
>> and unruly teenagers at home, at the expense of every right (and 
>> responsibility!) of network operators to be naive knee jerkism, 
>> unhelpful, and disrespectful.
> 
> Another point of view is that in the end-to-end model, the post-Snowden 
> approach the IETF has decided to pursue is returning the rights to the 
> end users stolen by network operators and pervasive surviellers.

i've heard that point of view, and, anyone writing the checks that keep 
my network operating, is welcome to tell me how to operate it, or find 
some other network. if on the other hand someone insists on using my 
network in ways i don't approve of, i will stop providing them service, 
or block the actions of theirs that i don't approve of.

my network, my rules. you want your own rules? use your own network. and 
to be clear, the internet is a network of networks. mine is one of those 
many networks which the internet is a network of. all policy is local.

i'll provide some live examples of what i mean by local policy.

since i don't like spoofed source packets, i don't allow those to leave 
my network. since i don't like ddos, i don't amplify it. since i don't 
like spam, i carefully control outbound SMTP. since i use naming as a 
control point for endpoint security, i carefully control outbound DNS.

anyone, including mozilla with their default settings, who wants my 
network to emit traffic which i as its operator disapproves, will get a 
hostile reception.

and that won't change, no matter what snowden recommends.

> DOH is an unsurprising outcome of an understanding that the underlying 
> network shouldn’t be trusted. You are, as is your right as a network 
> operator, asserting that if I connect to your network, I must trust your 
> network. As such, I should be willing to install your cert to allow for 
> DPI on HTTPS connections. If you feel the cost of doing this is too 
> high, perhaps you should charge me for connecting to your network?

so, that's a subject change, but i'll follow you there.

the fact that i must now keep either a whitelist of HTTPS endpoints 
which do not support DoH, or a blacklist of HTTPS endpoints which do, 
and use SOCKS to handle the difference between the sets, is a cost i 
resent -- and it has nothing to do with you as a visitor or customer.

(if you'd like to bring up the canard about how i already had to do this 
and its not a new cost, i'll replay the standard response explaining why 
i in fact did not have to do this until IETF made it a standard. or, we 
can skip that, this time.)

> And to be clear, this isn’t a situation I’m happy with. It is, however, 
> a natural outcome of lying DNS servers, monetization of passive DNS 
> collection, pervasive surveillance, etc.

so, here, we agree. inappropriate monetization and equitization of other 
people's data is the root cause of IETF's actions on DoH. however, my 
resentment remains, because there were many other, less destructive 
outcomes. this emergency has been leveraged by people who had agendas 
and who have used it as an opportunity. the results will be painful to 
everybody except those people. so it's brilliant, in an evil kind of way.

-- 
P Vixie

More information about the dns-operations mailing list