On Tue, 10 Jan 2023, Philip Homburg wrote:

Should applications control this by default? No. But in my opinion,
it is better if the user can control this per application (in addition
to system-wide defaults) than that we force applications that do want
to have this kind of control work around what the system provides.

if applications think it is THAT important, they shouldn't be trusting
the EDNS options of a stub proxy, which also might go through an OS
proxy on top. It also cannot trust or know whether the proxy's upstream
forwardering is using encryption either. So it still has to do it itself
if it wants to be sure.

This behavior is quite similar to what would happen if each application
links with its own stub resolver, and decides locally whether to
set up an encrypted transport of not. On current systems, a web browser
may use DoH where other application use Do53.

And a draft that specifies a proxy won't change browsers to not do DoH
themselves.

The draft does not require a cache, but obviously adding a cache is
encouraged.

Now you are not talking about stubs anymore.

The goal is to make a local proxy safe for applications that do have
requirements with respect to privacy.

If applications are willing to trust the local system/proxy, then they
can't get a guarantee about encryption. What if the proxy is stuck on
a network that blocks all DNS except the DHCP obtained ones, and those
you can talk encrypted to, but what does it mean to talk encrypted DNS
to StarBucks ?

Currently, applications cannot
assume anything about how a local proxy operates. Which encrourages
applications to only use their own stub resolvers that set up encrypted
transports, potentially ignoring any system-wide settings.

Yes, I agree. But it seems like a sailed ship to me. Similar to how I
don't see why applications/users should follow the ADD proposals that
try to keep you using the local ISP nameserver instead of your own
trusted DoH server.

The big problem I see is that the application wants end to end privacy
on the DNS queries (or at least end to a large pool to hide in) where
as EDNS is a hop by hop signaling mechanism. You cannot know what
happens when the local proxy sends the query forward. Whether that step
is using encryption is only one step of the chain to keep the DNS query
private.

Paul

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to