On 2019-03-12 4:51 p.m., Paul Vixie wrote:
On Tuesday, 12 March 2019 21:38:44 UTC Stephen Farrell wrote:
DoH intends "to prevent on-path interference with DNS operations", and that's
well beyond the remit of RFC 7626, and is therefore not spoken to one way or
another by IETF consensus. i do not believe that a non-interference objective
would reach broader IETF consensus. perhaps we can test that one day.
I'm not sure I understand the double-double negative happening here.
It appears to me that there is considerable support for DoH, meaning
there is support for non-interference.
In the IPv6 spectrum with the mac/slaac randomization games which have
become standardized, and which have been instituted to supply other
forms of security/hiding/non-interference, it appears that DoH would
similarly be 'allowed' through the standardization process.
Having said that, and if this is how one performs the testing, I would
have to say that DoH would be make it much harder for me as a security
engineer to perform my duties.
It would seem that if DoH is standardized, then it would probably become
standard practice, then like 8.8.8.8 and similar quads, by default
meaningful data becomes hidden for managing the interior of networks.
For some networks, pi-hole is a mechanism for preventing certain traffic
operations. AS I look at it this moment, it has over 112K domains
blacklisted, and on one particular network, 31% of the queries have been
blocked as a passive protection mechanism.
I find these blocks useful. With DoH, probably DoH would become
ubiquitous, and these types of blocks would be prevented.
Https is common ground for much hiding. DNS is probably our last
bastion of having any semblance of identification of what is happneing
to the interior of our networks. Carriers might not be so concerned.
But for those who operation enterprise, business, home, some forms of
social protection, security management becomes more difficult.
As has happened in the IPv6 space, the same happens here in the DNS
space: there are groups who wish the privacy/non-interference/hiding
ability vs the groups who need the information in the data streams to
properly secure and manage the interior and perimeter.
How would the requirements of each group be recognized? The simplest
would be to not proceed with DoH.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
