On Fri, Mar 22, 2019 at 11:15 AM Winfield, Alister <Alister.Winfield=
40sky...@dmarc.ietf.org> wrote:

>
> Don't overplay the privacy provided by DoH it has no effect on the DNS
> provider


The major effect of the transport security on the privacy practices of the
provider is that it allows the client to authenticate the provider. Trust
in their privacy practices needs to be establish some other way (and the
best way we have right now is 'out of band' - hopefully that gets better) -
but with DoH you can be confident that you're having a private conversation
with the entity you've decided to trust. That's a pretty big distinction
from port 53. Without that assurance its reasonable to be concerned about
what names you lookup.

This of course applies to local and enterprise configs as well as the cloud
configs contemplated by most of this thread. An enterprise DoH server
expresses and enforces a policy - if an application needs to use that
policy it should be comforted in transport security providing confirmation
that it is doing so rather than reading in whatever might be showing up on
port 53.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to