Sent from my iPhone
>> On Mar 24, 2019, at 9:43 PM, Patrick McManus <mcma...@ducksong.com> wrote: >> >> > >> On Fri, Mar 22, 2019 at 11:15 AM Winfield, Alister >> <Alister.Winfield=40sky...@dmarc.ietf.org> wrote: >> >> Don't overplay the privacy provided by DoH it has no effect on the DNS >> provider > > The major effect of the transport security on the privacy practices of the > provider is that it allows the client to authenticate the provider. Trust in > their privacy practices needs to be establish some other way (and the best > way we have right now is 'out of band' - hopefully that gets better) - but > with DoH Minor correction: with DoH or DoT ... > you can be confident that you're having a private conversation with the > entity you've decided to trust. That's a pretty big distinction from port 53. > Without that assurance its reasonable to be concerned about what names you > lookup. > > This of course applies to local and enterprise configs as well as the cloud > configs contemplated by most of this thread. An enterprise DoH server Minor correction: An enterprise DoH and/or DoT server... > expresses and enforces a policy - if an application needs to use that policy > it should be comforted in transport security providing confirmation that it > is doing so rather than reading in whatever might be showing up on port 53.. The only point I’m making in the above is there is no meaningful distinction in the privacy, security, or server validation between DoH vs DoT. There is one important difference, which is that DoT uses a unique port number. This is important for network operators in identifying encrypted DNS traffic, in order to ensure that implementation of security policies for DNS don’t conflict with any other network policies (regardless of what those policies are.) IMNSHO, if both ports are reachable for a given provider of Do*, the DoT port MUST be used. DoH should only be used with explicit informed user consent, and only when DoT is unavailable. This supports the “dissident” use case, without impacting any other aspects of privacy provided by DoT.. The blocking of DoT to a given provider should be interpreted as an explicit policy. Users should be informed that they may, and very likely will, be violating someone’s policy, if they choose to use DoH in that circumstance, and that they may be violating laws by doing so, and should only do so if they are willing to accept that risk. There is no reason DoH should be used if DoT works (towards the same DNS provider). Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop