> Il 24 agosto 2018 alle 17.26 Vladimír Čunát <vladimir.cunat+i...@nic.cz> ha > scritto: > > > Still, personally I'd probably prefer to choose someone from a list of > providers, as we might have quite a lot soon, and "I" might trust some of the > names already, and the handshake will then verify that the name matches.
While having users in charge might in the end be the best thing to balance all the conflicting interests and threat mitigation needs, I am not sure that putting the user in front of a list of all the existing DoH resolution providers (thousands? hundreds of thousands?) is a great idea. In terms of user experience, to allow users to make an informed choice, the list would need to provide users with information on the policy of each server (see the current draft in DPRIVE) and it would end up being pretty hard to lay out and use in a meaningful way. Also, if you can't even find a way to transmit securely to the user device the information on the single DoH resolver that serves the local network, how can you maintain and transmit securely an updated list of all the existing DoH providers? On the other hand, you could imagine that the application, or the OS, could create its own shortlist of "approved" DoH resolvers and transmit it securely from its own servers, or include it in the application's installation procedure. But this would open up significant policy/legal issues in terms of antitrust and fair competition among DoH providers. I'm not saying that there's no way to do it properly, but it is not as simple as it looks. In the end, the policy of having your names resolved by default by a local server on your access network, while leaving you free to configure a different resolver that you find out-of-band if you want to, emerged over 30 years because it makes a lot of sense. I still have to hear a compelling technical or policy reason for the attempt to change this default and turn DNS resolution into yet another over-the-top service subject to global competition and market consolidation, other than "there are some big companies that would like to resolve the names for the whole world because they can gain from the data they would gather". Regards, -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bert...@open-xchange.com Office @ Via Treviso 12, 10144 Torino, Italy _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
