Hi, On Mon, Aug 8, 2016 at 6:41 AM, Shane Kerr <sh...@time-travellers.org> wrote: > Hello, > > There are a few suggestions about the DNS over HTTP draft made off-list, > which I will try to characterize here: > > * We should expand the motivations to explain why DNS over HTTP makes > sense at all. > > * We should restrict the protocol to TLS. > > I am happy to expand the motivation section, although I am beginning to > wonder if it will ever be enough. :)
There is enough motivation why someone would want DNS/HTTP, but not why does it warrant a standard. The Section 1 in -00 said: "It simply serves as a sort of DNS VPN" which is quite accurate. We don't have a standard for DNS over IPSec or OpenVPN because the carrier is not DNS agnostic (or doesn't have to be), like in this case. While this draft solves a legitimate problem, it's still a blessed workaround. > As for a requirement for TLS... the document currently says that > implementers SHOULD use TLS. My own feeling is that this should be > enough; apparently the recommendation to require TLS was made in the > HTTP/2 working group and rejected, so I am not sure that we need to > re-visit the entire discussion around the DNS over HTTP protocol. > > https://http2.github.io/faq/#does-http2-require-encryption > > Note that I do not have a strong preference here. This is a working > group document, so if there is consensus for requiring TLS then that's > how it is. > > A final oversight that occurred to me is that there should be a privacy > section. This is because since the DNS over HTTP serves as a DNS > resolver that all of the privacy considerations of a normal DNS > resolver apply, and should be mentioned (probably referencing RFC 7626). > > Cheers, > > -- > Shane Best, Marek > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
