> On Aug 20, 2018, at 10:21 PM, Paul Vixie <p...@redbarn.org> wrote: > > > > Tom Pusateri wrote: >> ... I don’t know if it’s generally accepted that DoH will replace >> UDP/53 or DoT in the stub resolver or DoH will just end up in the >> browsers as a way to speed up web pages. But if DoH stays in the >> browser and DoT is tried and used on all DNS servers, there’s not a >> problem to solve. > > if DOH is widely used by criminals, botnets, and malware to bypass perimeter > security policy, then there will be a big problem and we will be solving it > for many years to come, even if the browser is the only thing using it. > browsers are where most modern vulns have occurred, and i expect that trend > to accelerate. "because that's where the money was.”
I can see good use cases and bad ones. If web servers did DNSSEC validation and only served addresses for names that were validated, I wouldn’t have a problem with that at all. If web servers only served addresses for names within the domain of the web server, I wouldn’t have a problem with that either. if they start serving non DNSSEC validated addresses for names outside their domain, I think they’re overreaching. Tom _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
