> -----Original Message----- > From: Stephen Farrell <stephen.farr...@cs.tcd.ie> > Sent: Tuesday, March 12, 2019 5:30 AM > To: Paul Vixie <p...@redbarn.org>; d...@ietf.org > Cc: nalini elkins <nalini.elk...@e-dco.com>; Konda, Tirumaleswar Reddy > <tirumaleswarreddy_ko...@mcafee.com>; dnsop@ietf.org; Ackermann, > Michael <mackerm...@bcbsm.com>; Christian Huitema > <huit...@huitema.net>; dns-priv...@ietf.org; Vittorio Bertola > <vittorio.bertola=40open-xchange....@dmarc.ietf.org> > Subject: Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients > > > (This distribution list is too scattered and diverse. Be great if some AD or > someone just picked one list for this. > In the meantime...) > > On 11/03/2019 20:43, nalini elkins wrote: > > impact assessment that certain changes such as DoH and TLS1.3 will > > have on enterprises, > > TLS1.3 will, I expect, noticeably improve security for an awful lot of > enterprises in time. > > As for DoH, I wonder has anyone done studies on how split-horizon names > and access patterns leak today? > > I don't recall having read that kind of study. I can imagine many ways in > which that kind of stuff would leak. I'd be very surprised if it never > happens. > I don't know how often it does. > > For names, leaking once is kinda fatal. For access patterns, I guess one leak > exposes an IP address that's interested in a name (e.g. secret- > project.example.com) but more would be needed for broader access > patterns to be exposed to "foreign" > recursives and/or in-band networks. > > ISTM that it is quite possible that enterprises that deploy their own DoH > services could potentially reduce such leakage and gain overall. (I'm > assuming here that sensible browser-makers will end up providing > something that works for browsers running in networks with split-horizon > setups before those browsers turn on DoH as a default at scale.)
If Enterprise network provides a DoT/DoH server, browser should be able to discover and use the Enterprise DoT/DoH server. -Tiru > > Cheers, > S. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
