Hi,
I generally like the idea of this draft and unilateral probing strategy.
I just have a (possibly dumb) question.
```
An authoritative server SHOULD implement and deploy DNS-over-TLS (DoT)
on TCP port 853.
An authoritative server SHOULD implement and deploy DNS-over-QUIC (DoQ)
on UDP port 853.
```
To those normative (or normatively-looking) sentences really encourage
(once the draft becomes possibly an RFC) every authoritative server in
the world to implement DoT and DoQ (with a SHOULD)?
I would be afraid of opening various attack vectors (mainly, but not
exclusively DoS), that could threaten also the old-school Do53 service
running on the same servers.
Another comment:
AFAIK in all practical aspects, DoQ is equal or better than DoT. The
only advantage of DoT I know about is its maturity and better available
tooling.
However, given how slowly the progres in DPRIVE goes, this might change.
Won't it be pointless to encourage the DNS world to using DoT at all,
when the actual migration path will be directly Do53->DoQ ?
Thanks for considering,
Libor
Dne 03. 03. 23 v 19:14 [email protected] napsal(a):
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This Internet-Draft is a work item of the DNS PRIVate Exchange WG of the IETF.
Title : Unilateral Opportunistic Deployment of Encrypted
Recursive-to-Authoritative DNS
Authors : Daniel Kahn Gillmor
Joey Salazar
Paul Hoffman
Filename : draft-ietf-dprive-unilateral-probing-05.txt
Pages : 30
Date : 2023-03-03
Abstract:
This document sets out steps that DNS servers (recursive resolvers
and authoritative servers) can take unilaterally (without any
coordination with other peers) to defend DNS query privacy against a
passive network monitor. The steps in this document can be defeated
by an active attacker, but should be simpler and less risky to deploy
than more powerful defenses.
The goal of this document is to simplify and speed deployment of
opportunistic encrypted transport in the recursive-to-authoritative
hop of the DNS ecosystem. With wider easy deployment of the
underlying transport on an opportunistic basis, we hope to facilitate
the future specification of stronger cryptographic protections
against more powerful attacks.
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-dprive-unilateral-probing/
There is also an htmlized version available at:
https://datatracker.ietf.org/doc/html/draft-ietf-dprive-unilateral-probing-05
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-dprive-unilateral-probing-05
Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
