Sent from my iPhone
> On Mar 24, 2019, at 10:42 PM, Patrick McManus <mcma...@ducksong.com> wrote: > > >> On Sun, Mar 24, 2019 at 10:31 PM Brian Dickson >> <brian.peter.dick...@gmail..com> wrote: >> >> This is important for network operators in identifying encrypted DNS traffic, > > not all clients acknowledge a network's right to do such things at all times. > And of course it would be useful to tell the difference between policy and a > RST injection attack. > > If the client does acknowledge the network has the right to set policy - then > the policy can be set on the client using existing configuration mechanisms > that allow the client to differentiate between authorized configuration and > perhaps less-authorized folks identifying their DNS traffic. This is well > worn ground in the HTTP space. What I find interesting, is that as far as I can tell, everything you wrote applies equally to DoH and DoT, if the transport is the only difference. E.g. Same client browser, same DNS service, accessed via DoH or DoT. Are you suggesting (or claiming) otherwise, and if so, please elaborate? Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
