On Tue, Aug 21, 2018 at 1:37 PM David Conrad <[email protected]> wrote:
> Vittorio, > > On Aug 21, 2018, at 3:33 AM, Vittorio Bertola < > [email protected]> wrote: > > If so, I can accept your use case: a smart user, knowing what he is doing, > does not want anyone else to sanitize his queries for him. But I don't see > why the best solution to your use case - which is quite a minority case, > though easily overrepresented in a technical environment - is to build a > sort of "nuclear bomb" protocol that, if widely adopted, will destroy most > of the existing practices in the DNS "ecosystem" (I'm using the word that > was being used at ICANN's DNS Symposium in Montreal), including the basic > security measures that protect the 99.9% of the users who are not > technically smart. > > > Perhaps I’m misunderstanding: are you saying the folks who provide > resolution services in a DoH world would have incentive to not follow basic > security measures? > > Regards, > -drc > At my university, our security group watches DNS rpz logs and DNS traffic logs for signs of malware, and takes action. In a DoH world, I cannot imagine every third-party DoH provider giving our security group that information. They will follow their own security measures, but will still affect ours because we lose visibility. -- Bob Harold
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
