On Sat, 2020-05-16 at 01:37 +0200, nusenu wrote: > > I can not really say anything about how this design compares to > > other > > approaches, since I don't know how I can setup meaningful test > > scenarios to compare them. > > Do we really need test setups to discuss protocol designs > and compare protocols with a common threat model if specs for the > protocols are available? >
I think it depends on the context. However, if you want to neglect the context you can just compare plain DNS employing DNSSEC (authenticity and integrity) to DoH / DoT (confidentiality). There are quite a few comparisons out there, e.g.: [1]. [1] https://blog.circuitsofimagination.com/2018/11/08/dns-o-t-dnssec-dns-o-h.html > > However, I would appreciate if you could > > share how to setup such test environments. > > take your preferred DoT client implementation that supports the > strict profile (RFC8310) > or your preferred DoH implementation and route it over tor to your > resolver of choice. > If you put it like this, then the proposed design would save the required TLS / HTTPS handshake you have in DoT / DoH and would add authenticity and integrity verification of DNS responses. However, the confidentiality you get with DoH / DoT (at the exit realy, which may not even be necessary?) would be missing. > > _______________________________________________ > tor-dev mailing list > tor-dev@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
