On Fri, 12 Jul 2019, Paul Wouters wrote: > > I find the term "security policy", a bit unnerving here. A DNS server > is either secure (and tells the truth), or it is not secure (and tells > lies). There is no "better". Some people say lying is more "secure for the > user", but that can really only come from a pre-existing configuration, > not a random DNS server offered by your random local network. > > I think the better term here is "privacy policy". We kind of assume > all DoH severs are "secure" (at least for their transport, see above) > but we feel we can trust some DoH servers more than others for privacy.
No, it is really about security, but in a broader sense. Some resolvers will lie to you when you try to access a known malicious destination, e.g. a website which hosts malware or phishing, or, if "you" are a bot, your command and control server. This would be "insecure" by your definition above, but in reality it makes the whole Internet access experience more secure. In this scenario, a "better" security policy by a resolver is one using a list of filtered destinations that is more precise, more timely updated, more localized, more tailored to your own needs (including the fact that some resolvers allow each individual user of the local network to choose a different filtering policy, or none at all). So the user might indeed want to use a resolver that employs a better security policy, or even the resolver with which they have a contract to provide a specific security policy, which, in the case of ISPs, will usually be the one advertised by the local network. -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bert...@open-xchange.com Office @ Via Treviso 12, 10144 Torino, Italy _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
