> -----Original Message----- > From: Neil Cook <neil.c...@noware.co.uk> > Sent: Wednesday, November 27, 2019 8:25 PM > To: Stephane Bortzmeyer <bortzme...@nic.fr> > Cc: Konda, Tirumaleswar Reddy <tirumaleswarreddy_ko...@mcafee.com>; > dns-privacy@ietf.org; Phillip Hallam-Baker <ph...@hallambaker.com> > Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery' > > CAUTION: External email. Do not click links or open attachments unless you > recognize the sender and know the content is safe. > > > > > On 27 Nov 2019, at 14:28, Stephane Bortzmeyer <bortzme...@nic.fr> > wrote: > > > If you use DoH/DoT, it is because you don't trust the access network. > > It says nothing about whether you trust the access network. You *may* be > using DoH/DoT because you don’t trust the access network. However, you > may trust the access network for example, but the resolver it gives you may > be located somewhere else entirely and your queries may be transiting over > an untrusted network.
Yes. In addition, Internal attacks have become a reality, please see https://tools.ietf.org/html/draft-arkko-arch-internet-threat-model-01#section-4.2.1. Clients should use DoT/DoH in all networks. -Tiru > > > Relying on it to > > indicate a DoH/DoT resolver is pointless. > > > > You’re conflating the lack of trust in the access network with discovery. > Yes, if > you don’t trust the access network then you may not want to use a discovery > protocol to indicate the best way to contact the resolver over DoT/DoH. > > However what if you have configured a resolver manually using an IP address, > and want to opportunistically upgrade to DoT/DoH if the resolver supports it? > > Neil _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy