This is equally an argument for doing DNS over DTLS. This would give similar performance to DoH over QUIC.
On Mon, Mar 25, 2019 at 10:43 Brian Dickson <brian.peter.dick...@gmail.com> wrote: > > > On Mon, Mar 25, 2019 at 10:31 AM Patrick McManus <mcma...@ducksong.com> > wrote: > >> >> >> On Mon, Mar 25, 2019 at 9:37 AM Brian Dickson < >> brian.peter.dick...@gmail.com> wrote: >> >>> >>> >>>> >>>> \Other than blocking all-but-a-few (or all, or a few) DoT servers, I do >>> not believe anyone has proposed explicit downgrade triggers. >>> >> >> that's the downgrade I am referring to >> >> >> >>> Or do you mean, when a DoT connection is blocked by e.g. a firewall (or >>> other network enforcement device), that an RST is generated? I believe the >>> RST requires sequence number validation before it can be processed by the >>> TCP stack, which means the entity doing the RST generally needs to be in >>> the data path. Other than "lucky guess" or "high volume attempts", I don't >>> believe RST to be a serious threat. >>> >> >> path manipulation attacks are real. arp attacks.. bootp attacks.. rouge >> access points. stingray. all kinds of things. unauthenticated network >> packets are just that: unauthenticated. RST (or blackhole) is a good >> indication that a path isn't going to work - its not a good indication of >> who is expressing that policy (or whether it is a policy at all). >> >> Anyhow - I'm really not trying to amp up this thread.. I just felt that >> there were a few relevant points to the discussion that had not been >> introduced. >> > > Okay, that's good to know, and I think we are in agreement (i.e. that > inference is a poor substitute for declarations.) > > I think that this is an area that needs thought and mechanism development, > possibly aligned with DoT/DoH operation, possibly not (or orthogonal to > them). > > Brian > _______________________________________________ > Doh mailing list > d...@ietf.org > https://www.ietf.org/mailman/listinfo/doh >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop