Hello. On 5/21/20 10:50 PM, Brewst wrote: > The proposed solution of having DNS encrypted via DoT from the > resolver to authoritative is fantastic idea. It ensures the data's > integrity while also giving system owners the ability to inspect > traffic sent to their local resolver as well as the traffic sent back > to systems from the resolver.
Let me point out that there are two basically independent parts: (1) path *to* resolvers, potentially including forwarding between resolvers; and (2) path from resolvers to authoritatives. So far, all DoT and DoH has been about (1) without touching (2) in any way, except for some non-standard experiments like https://engineering.fb.com/security/dns-over-tls/ The new dprive charter and draft-vandijk-dprive-ds-dot-signal-and-pin seek to address (2), again independently of what encryption/configuration happens on part (1) or even on the client machine... though of course it's imagined to secure *both* (1) and (2) for best privacy effect. (Well, much of the information leaks through other means than DNS, but this and SNI encryption should together at least make it harder to collect.) I deliberately want to avoid the aspect of clients/apps overriding the OS resolver, as that seems a futile topic in here. And again an independent one, except for some OS DNS being currently hard to configure with DoT/DoH and thus giving apps arguments to encrypt DNS on their own. There's a bit better place for that topic: https://tools.ietf.org/wg/add/ - so that would also be my answer to: > I am new to this mailing list and if this is the wrong forum to bring > up my concerns with where and how DNS resolution settings should be > controlled, let me know. and perhaps you'd be interested in this initiative "outside IETF": https://www.encrypted-dns.org/ --Vladimir _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
