Sure. My point was that there could be legitimate uses of DoH. You have to move DNSSEC validation from the resolver to the client in order to really validate the answers if you can’t trust the resolver.
Tom > On Aug 20, 2018, at 10:28 PM, Ted Lemon <mel...@fugue.com> wrote: > > Of course, the question is, how does the consumer of that data decide what is > okay and what's not? We can't just say that the server has to behave > correctly: someone has to enforce it. > > On Mon, Aug 20, 2018 at 10:25 PM, Tom Pusateri <pusat...@bangj.com > <mailto:pusat...@bangj.com>> wrote: > > > > On Aug 20, 2018, at 10:21 PM, Paul Vixie <p...@redbarn.org > > <mailto:p...@redbarn.org>> wrote: > > > > > > > > Tom Pusateri wrote: > >> ... I don’t know if it’s generally accepted that DoH will replace > >> UDP/53 or DoT in the stub resolver or DoH will just end up in the > >> browsers as a way to speed up web pages. But if DoH stays in the > >> browser and DoT is tried and used on all DNS servers, there’s not a > >> problem to solve. > > > > if DOH is widely used by criminals, botnets, and malware to bypass > > perimeter security policy, then there will be a big problem and we will be > > solving it for many years to come, even if the browser is the only thing > > using it. browsers are where most modern vulns have occurred, and i expect > > that trend to accelerate. "because that's where the money was.” > > I can see good use cases and bad ones. > > If web servers did DNSSEC validation and only served addresses for names that > were validated, I wouldn’t have a problem with that at all. > > If web servers only served addresses for names within the domain of the web > server, I wouldn’t have a problem with that either. > > if they start serving non DNSSEC validated addresses for names outside their > domain, I think they’re overreaching. > > Tom > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org <mailto:DNSOP@ietf.org> > https://www.ietf.org/mailman/listinfo/dnsop > <https://www.ietf.org/mailman/listinfo/dnsop> >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
