This is equally an argument for doing DNS over DTLS. This would give
similar performance to DoH over QUIC.

On Mon, Mar 25, 2019 at 10:43 Brian Dickson <brian.peter.dick...@gmail.com>
wrote:

>
>
> On Mon, Mar 25, 2019 at 10:31 AM Patrick McManus <mcma...@ducksong.com>
> wrote:
>
>>
>>
>> On Mon, Mar 25, 2019 at 9:37 AM Brian Dickson <
>> brian.peter.dick...@gmail.com> wrote:
>>
>>>
>>>
>>>>
>>>> \Other than blocking all-but-a-few (or all, or a few) DoT servers, I do
>>> not believe anyone has proposed explicit downgrade triggers.
>>>
>>
>> that's the downgrade I am referring to
>>
>>
>>
>>> Or do you mean, when a DoT connection is blocked by e.g. a firewall (or
>>> other network enforcement device), that an RST is generated? I believe the
>>> RST requires sequence number validation before it can be processed by the
>>> TCP stack, which means the entity doing the RST generally needs to be in
>>> the data path. Other than "lucky guess" or "high volume attempts", I don't
>>> believe RST to be a serious threat.
>>>
>>
>> path manipulation attacks are real. arp attacks.. bootp attacks.. rouge
>> access points. stingray. all kinds of things. unauthenticated network
>> packets are just that: unauthenticated. RST (or blackhole) is a good
>> indication that a path isn't going to work - its not a good indication of
>> who is expressing that policy (or whether it is a policy at all).
>>
>> Anyhow - I'm really not trying to amp up this thread.. I just felt that
>> there were a few relevant points to the discussion that had not been
>> introduced.
>>
>
> Okay, that's good to know, and I think we are in agreement (i.e. that
> inference is a poor substitute for declarations.)
>
> I think that this is an area that needs thought and mechanism development,
> possibly aligned with DoT/DoH operation, possibly not (or orthogonal to
> them).
>
> Brian
> _______________________________________________
> Doh mailing list
> d...@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to