Of course, the question is, how does the consumer of that data decide what is okay and what's not? We can't just say that the server has to behave correctly: someone has to enforce it.
On Mon, Aug 20, 2018 at 10:25 PM, Tom Pusateri <pusat...@bangj.com> wrote: > > > > On Aug 20, 2018, at 10:21 PM, Paul Vixie <p...@redbarn.org> wrote: > > > > > > > > Tom Pusateri wrote: > >> ... I don’t know if it’s generally accepted that DoH will replace > >> UDP/53 or DoT in the stub resolver or DoH will just end up in the > >> browsers as a way to speed up web pages. But if DoH stays in the > >> browser and DoT is tried and used on all DNS servers, there’s not a > >> problem to solve. > > > > if DOH is widely used by criminals, botnets, and malware to bypass > perimeter security policy, then there will be a big problem and we will be > solving it for many years to come, even if the browser is the only thing > using it. browsers are where most modern vulns have occurred, and i expect > that trend to accelerate. "because that's where the money was.” > > I can see good use cases and bad ones. > > If web servers did DNSSEC validation and only served addresses for names > that were validated, I wouldn’t have a problem with that at all. > > If web servers only served addresses for names within the domain of the > web server, I wouldn’t have a problem with that either. > > if they start serving non DNSSEC validated addresses for names outside > their domain, I think they’re overreaching. > > Tom > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
