On Wed, Jan 8, 2020 at 12:00 AM Christian Huitema <[email protected]> wrote:
> > On 1/7/2020 12:08 PM, Rob Sayre wrote: > > > The document contains the text: > > "DoT, for example, would normally contain no client identifiers above > the TLS layer and a resolver would see only a stream of DNS query > payloads originating within one or more connections from a client IP > address. Whereas if DoH clients commonly include several headers in > a DNS message' > > Doesn't this just mean "if the DoT client is a good implementation, and > the DoH client is not..." ? > > > I am not sure that this is just about client identifiers, but there is > indeed a difference in complexity between DoH and DoT. Yes you could > minimize it by using an absolutely minimal implementation of HTTP for DoH, > but the very idea of DoH is to reuse existing HTTP infrastructure for DNS. > In practice that means a much larger attack surface. > I think the concept you're describing is covered by RFC8484, as I wrote. Is there something in this document's DoH considerations that's new? thanks, Rob
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
