On Tue, 10 Jan 2023, Philip Homburg wrote:
Should applications control this by default? No. But in my opinion, it is better if the user can control this per application (in addition to system-wide defaults) than that we force applications that do want to have this kind of control work around what the system provides.
if applications think it is THAT important, they shouldn't be trusting the EDNS options of a stub proxy, which also might go through an OS proxy on top. It also cannot trust or know whether the proxy's upstream forwardering is using encryption either. So it still has to do it itself if it wants to be sure.
This behavior is quite similar to what would happen if each application links with its own stub resolver, and decides locally whether to set up an encrypted transport of not. On current systems, a web browser may use DoH where other application use Do53.
And a draft that specifies a proxy won't change browsers to not do DoH themselves.
The draft does not require a cache, but obviously adding a cache is encouraged.
Now you are not talking about stubs anymore.
The goal is to make a local proxy safe for applications that do have requirements with respect to privacy.
If applications are willing to trust the local system/proxy, then they can't get a guarantee about encryption. What if the proxy is stuck on a network that blocks all DNS except the DHCP obtained ones, and those you can talk encrypted to, but what does it mean to talk encrypted DNS to StarBucks ?
Currently, applications cannot assume anything about how a local proxy operates. Which encrourages applications to only use their own stub resolvers that set up encrypted transports, potentially ignoring any system-wide settings.
Yes, I agree. But it seems like a sailed ship to me. Similar to how I don't see why applications/users should follow the ADD proposals that try to keep you using the local ISP nameserver instead of your own trusted DoH server. The big problem I see is that the application wants end to end privacy on the DNS queries (or at least end to a large pool to hide in) where as EDNS is a hop by hop signaling mechanism. You cannot know what happens when the local proxy sends the query forward. Whether that step is using encryption is only one step of the chain to keep the DNS query private. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop