On Monday, 15 July 2019 02:17:04 UTC Rob Sayre wrote: > On Sun, Jul 14, 2019 at 6:59 PM Paul Vixie <p...@redbarn.org> wrote: > > ... > > I'm surprised that you seem to view DoH as a problem. I mean, everyone knows > that TLS and IPSEC are compromised by determined attackers, ...
if you know a way that modern TLS 1.3 can be compromised by MiTM, i'd like to know more. a lot of us are moving from MiTM to explicit outbound proxy with an internally trusted key in order to fulfill our corporate or regulatory obligations. > but I didn't know > it was a continued sore spot. If you have more to say, I would like to hear > it. the introduction of the DoH RFC explains that this protocol is designed to prevent interference by on-path actors in dns operations. i am a committed, determined on-path interferer, both for parental controls at home and corporate controls at $dayjob. see https://dnsrpz.info/ for background, but note that i am not the first to do something like RPZ at wide scale, nor is RPZ the only known way to use network-level DNS to protect end users and apps. i could go (and have gone) on at great length about the pratfalls of DoH, but instead i'll sum up by saying that DoH is designed to increase the costs of an activity i MUST pursue, and it ignorantly lumps together private networks like home or corporate, public networks like coffee shops or ISP's, and networks in authoritarian places like china and turkey. i despise this ignorance entirely. see also: https://www.darkreading.com/vulnerabilities---threats/benefits-of-dns-service-locality/a/d-id/1333088 my best imagined outcome is mozilla saying oops, DoT will be fine, we're taking DoH out. because internet communications has always relied on revocable cooperation, consisting both of the willingness to speak a protocol, and the willingness to permit it through gateways one operates. by deliberately denying network operators the ability to withhold permission, DoH is an attack on the cooperative substrate of the internet itself. -- Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
