On 2019-10-01 09:38, Stephane Bortzmeyer wrote:
> On Mon, Sep 30, 2019 at 11:56:33PM -0400,
>  Brandon Martin <lists.na...@monmotha.net> wrote 
>  a message of 10 lines which said:
> 
>> It's use-application-dns.net.  NXDOMAIN it, and Mozilla (at least)
>> will go back to using your local DNS server list as per usual.
> 
> Unless, I hope, the user explicitely overrides this. (Because this
> canary domain contradicts DoH's goals, by allowing the very party you
> don't trust to remotely disable security.)

The goal is centralization of DNS and being to see more what users (or at least 
the aggregate stats, so that they can claim "we do not keep your 
data/IP/lookups") do, the goal is not that of 'security' or 'privacy'.


While the 'connection to the recursor' is 'encrypted', the recursor is still in 
clear text... one just moves who can see what you are doing with this.


Also keep a split between the protocol and the implementation. DoT and DoH both 
serve the same goal of "encryption", but that is not being used here: they also 
want to move the recursor to another entity...



At least the use-application-dns.net zone is now not DNSSEC signed anymore as 
it was before, thus at least a NXDOMAIN can now be caused instead of SERVFAIL 
as .net indicated a signature, while one overrode that locally...

Greets,
 Jeroen

Reply via email to