On Wed, Nov 27, 2019 at 09:07:15AM +0000, Konda, Tirumaleswar Reddy <[email protected]> wrote a message of 72 lines which said:
> > *All* "automatic discovery of the DoH resolver" schemes are broken > > by design and I really wonder why people keep suggesting them. > > Not all discovery mechanisms have security holes, you may want to > look into > https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-05. It seems to me that this draft has exactly the same problem as every other "resolver discovery" proposal: it gives complete power to the access network to indicate the resolver to use. If you use DoH/DoT, it is because you don't trust the access network. Relying on it to indicate a DoH/DoT resolver is pointless. For instance, if your access provider has a lying resolver and you want to escape it with DoH/DoT access to an external resolver, I don't see how this draft helps you. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
