[dns-operations] Can Root DNS server modify the response?

David Conrad drc at virtualized.org
Fri Mar 29 19:31:05 UTC 2019

On Mar 29, 2019, at 9:48 AM, Paul Vixie <paul at redbarn.org> wrote:
> the subject is wrong for this part of the thread.

It has been for a very long time.

>> Wait. The person who co-created MAPS and co-authored RPZ that allows for the blocking of entire TLDs is unhappy because he’s being lumped in with groups he has no relationship with?
> yes. i think you must think that customers of blacklisted providers have no relationship with those providers.

You missed the point of my question. I found it ironic that you expressed unhappiness about technology that implicitly finds you (as a network infrastructure provider) guilty by association while having co-developed technologies that can have the same effect on others (e.g., using RPZ to block entire TLDs because a registrar of those TLDs sold “too many” domains that were used for spam).

>> DOH is an unsurprising outcome of an understanding that the underlying network shouldn’t be trusted. You are, as is your right as a network operator, asserting that if I connect to your network, I must trust your network. As such, I should be willing to install your cert to allow for DPI on HTTPS connections. If you feel the cost of doing this is too high, perhaps you should charge me for connecting to your network?
> the fact that i must now keep either a whitelist of HTTPS endpoints which do not support DoH, or a blacklist of HTTPS endpoints which do, and use SOCKS to handle the difference between the sets, is a cost i resent -- and it has nothing to do with you as a visitor or customer.

I get that you resent the costs, just as I know a number of network operators resented the costs imposed to deal with the fact that their traffic was being intercepted for pervasive surveillance and a number of users resented the fact that the DNS servers they talked to lied (etc). As mentioned, I see DoH as an unsurprising outcome of the reality of Internet infrastructure. Yes, there are other options that could have been used to address the lack of trust in the infrastructure. I gather the folks deploying DoH as they are felt DoH was more deployable. Also as mentioned, I suspect the next step in the arms race will be for infrastructure providers to force their users to install certs and implement DPI to block/modify the stuff that happens on their network (“my network, my rules”). And then then we loop again with some other technology/abomination. Unfortunately, I don’t see a way out of the loop.

However, since I’m looping myself, I’ll let you have the last word.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190329/89ca3379/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190329/89ca3379/attachment.sig>

More information about the dns-operations mailing list