Tony Finch <d...@dotat.at> wrote: > > A URI template usually implies the need for DNS queries to resolve the > server name (unless it's an address literal). Would it be plausible to > allow the client to assume that the DoH server IP addresses are the same > as the DNS server addresses, so it can skip the lookup? I guess that would > be too annoying for operators that want their DoH servers to be separate > from their normal DNS resolvers, so maybe it's a bad idea :-)
There was an interesting discussion on Twitter last night - https://twitter.com/PowerDNS_Bert/status/1031284355686178817 Bert Hubert made the point that https has a lot more opportunities for identifying and tracking individual devices, compared to trad DNS. Home gateways that act as DNS relays help with individual privacy, especially if they also cache. I think the implications of this, and the arguments that Paul Vixie has been making, are that there will be unexpected privacy and security upsets if the DoH resolution path is too different from the trad DNS resolution path. This is really a problem with how DoH is deployed and used. So it's important to make it easy for operators to deploy DoH in a way that doesn't have surprising privacy leaks when it is supposed to be a privacy-enhancing technology. DHCP options can help to make all the DoTH stuff behave in a similar way to the network's trad DNS - it's much simpler from the user's perspective if they only need to worry about how respectful or abusive their network provider is as a whole, without having to get into the details of exactly which resolution protocol they are using. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Humber, Thames, Dover: Southwest 4 or 5, occasionally 6, except in Humber. Slight, occasionally moderate. Fog patches at first. Moderate or good, occasionally very poor at first. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
