Re: [DNSOP] [External] Re: Fwd: [Add] new draft: draft-grover-add-policy-detection-00

Mon, 15 Jul 2019 09:54:29 -0700 

"DNSOP" <dnsop-boun...@ietf.org> wrote on 07/14/2019 21:17:04:

> From: "Rob Sayre" <say...@gmail.com>
> To: "Paul Vixie" <p...@redbarn.org>
> Cc: dnsop@ietf.org
> Date: 07/14/2019 21:17
> Subject: [External] Re: [DNSOP] Fwd: [Add] new draft: draft-grover-
> add-policy-detection-00
> Sent by: "DNSOP" <dnsop-boun...@ietf.org>
>
> On Sun, Jul 14, 2019 at 6:59 PM Paul Vixie <p...@redbarn.org> wrote:
> the the web community caught wind of it and threw a molatov cocktailinto
our
> movie theater -- DoH.
>
> changing DNS isn't quick or easy or cheap -- it's the trifecta of
> "fast, good,
> or cheap, choose two" and you have to say "i choose none of the above.."
>
> I'm surprised that you seem to view DoH as a problem. I mean, everyone
knows
> that TLS and IPSEC are compromised by determined attackers, but I didn't
know
> it was a continued sore spot. If you have more to say, I would like
> to hear it.
>
> thanks,
> Rob

I don't know how you could possibly be genuinely surprised by this. I've
been lurking on here for a year, and Paul's been railing on this the entire
time. As far as I can tell, his position has been the DoT strikes the right
balance between network management and security, while DoH abandons the
network management ability for no real gain in security.

Arguably there's actually a decrease in security over DoT as, rather then
your network provider being the one who knows what DNS lookups you're
doing, now some third party with whom you have no relationship. Let's be
clear, "some third party" is pronounced "Cloudflare." This isn't to bash on
Cloudflare, but everyone's DNS traffic going to ONE company? That's the
NSA's wet dream. Furthermore, it doesn't even achieve the goal; as Paul
points out, he's just going to require all TLS traffic go through his proxy
so he can do all the same DNS inspection/denial that he did before. Again,
decreased security.

Andrew Hettinger
http://Prominic.NET
Tel: 866.339.3169 (toll free) -or- 1.217.356.2888 x. 110 (int'l)
Fax: 866.372.3356 (toll free) -or- 1.217.356.3356            (int'l)
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to