> On Jan 21, 2021, at 8:59 PM, Paul Vixie <p...@redbarn.org> wrote: > > On Thu, Jan 21, 2021 at 03:36:41PM -0800, Wes Hardaker wrote: >> "John Levine" <jo...@taugh.com> writes: >> >>> They think DoH is swell, but not when it bypasses security controls >>> and leaks info to random outside people >> >> At least 15% of network operators seem to agree. >> >> https://www.isi.edu/~hardaker/news/20191120-canary-domain-measuring.html > > i think the makers of canary-respecting DNS stub resolvers are still > figuring things out, and that if canary domains become prevalent, > especially among surveillance capitalist ISPs or surveillance > authoritarian states, the days of canary domains will change or end. > > for my own networks, i won't install a canary domain, because that's > a late-imposed change, unreliable, and a negative externality. any > stub resolver who uses any DNS service other than the one i hand out > in my DHCP assignments will be removed from the network. > > (new behaviour should require new signalling. let networks who want to > permit DNS bypass either by "use 8.8.8.8" or "use DoH" or otherwise, > signal this by adding a new canary domain, or a new DHCP option. > absent new signalling, behaviour should not change.) > > -- > Paul Vixie
Would it be ok to allow DNSSEC signed responses from any server? If they’re signed and verified, does it matter how you got them? Thanks, Tom _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
