On 3/10/2019 8:25 PM, nalini elkins wrote: > > Similarly, putting DNS in user space allows for immediate adoption > of DNSSEC and privacy enhancements, even when the operating system or > the local network does not support them > > At enterprises (banks, insurance, etc) on their internal networks, > people run their own DNS servers which may resolve for both internal > and external sites. > > We were recently talking to a Fortune 50 company in the United States > about what might happen you install a version of the browser which > uses DNS-over-HTTPS automatically. (Clearly, this applies to any > variant.) > > The questions that the Fortune 50 company architect asked were > something like this: > > 1. You mean that DNS could be resolved outside my enterprise? > > 2. So whoever that is that resolves my DNS sees the pattern and > frequency of what sites my company goes to? > > 3. How do I change this?
There are a bunch of conflicting requirements here, and it would be good to tease out the contradictions. Consider the following cases: 1) I am using my phone, and using application-X. 2) I am at home, using application-X on my home computer. 3) I am using Wi-Fi in a hotel, and using application-X. 4) I am using my work laptop on the enterprise network, and using application-X 5) I am using my work laptop in a hotel, and using application-X 6) I am using my work laptop on the network of a customer, and using application-X. Today, plenty of people claim the right to control how I use the DNS: my phone carrier, my ISP at home, the company that got the contract to manage the hotel's Wi-Fi, the IT manager for my company's laptop, the IT manager for the company that I am visiting. Out of those, there is just one scenario for which the claim has some legitimacy: if the company pays for my laptop and own the laptop, yes of course it has a legitimate claim to control how I am using it. Otherwise, I, the user, get to decide. If I like the application's setting better than the network's default, then of course I expect those settings to stick. -- Christian Huitema _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
