Tom Pusateri wrote:
On Aug 20, 2018, at 10:21 PM, Paul Vixie<p...@redbarn.org> wrote:
if DOH is widely used by criminals, botnets, and malware to bypass
perimeter security policy, then there will be a big problem and we
will be solving it for many years to come, even if the browser is
the only thing using it. browsers are where most modern vulns have
occurred, and i expect that trend to accelerate. "because that's
where the money was.”
I can see good use cases and bad ones.
all power tools can kill.
If web servers did DNSSEC validation and only served addresses for
names that were validated, I wouldn’t have a problem with that at
all.
If web servers only served addresses for names within the domain of
the web server, I wouldn’t have a problem with that either.
if they start serving non DNSSEC validated addresses for names
outside their domain, I think they’re overreaching.
DOH's use will be indiscriminate, and will reach DNS servers who have
web protocol front ends, who will offer full-spectrum RDNS. there will
be no binding or relation at all between the web content servers and the
DNS content servers who happen to use web protocols. so, please worry.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
