On 3/12/19 9:14 AM, Jim Reid wrote: > > >> On 12 Mar 2019, at 16:01, Stephane Bortzmeyer <bortzme...@nic.fr> wrote: >> >> I still do not understand why people have a problem with DoH whch did >> not already exist before with my-own-name-resolution-protocol-over-HTTPS. > > It’s a question of scale/ubiquity. These “alterate” resolution tricks have up > until now been mostly confined to a small number of clueful people. That is > going to change dramatically once the world’s web browsers and other > web-based apps start using DoH. More so if those platforms have DoH enabled > by default.
There's also a fundamental tension that arises when we define as legitimate those practices that are indistinguishable (or hard to distinguish) from what bad guys do. Think of all of the HR departments out there that send *legitimate* emails asking their employees to click on a link to update/verify information. DoH does this too and it arguably goes a step further by effectively obfuscating DNS resolution activity, so that legitimate users occupy the same "hideout" as the bad guys. This is one of the main themes of section 9 of draft-reid-doh-operator and one of the main motivations in the recommendations of section 4 of draft-bertola-bcp-doh-clients, but it bears restating because for those of us trying to do risk mitigation, or even policy compliance, DoH gives us additional headaches. michael _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
