This is one of the problems with security. It always comes with tradeoffs, and it always looks different depending on your perspective. In fact, though, the people who are currently providing DoH service actually have much greater visibility into the malware problem than you possibly can. This doesn't mean that it doesn't suck for you to not be able to collect the data, because at a university you presumably want to be able to do research on the data. But that's one of the tensions here. The answer to the observation "security requires us to make unpalatable tradeoffs" is not "don't do security."
On Tue, Aug 21, 2018 at 1:52 PM, Bob Harold <[email protected]> wrote: > > On Tue, Aug 21, 2018 at 1:37 PM David Conrad <[email protected]> wrote: > >> Vittorio, >> >> On Aug 21, 2018, at 3:33 AM, Vittorio Bertola <vittorio.bertola@open- >> xchange.com> wrote: >> >> If so, I can accept your use case: a smart user, knowing what he is >> doing, does not want anyone else to sanitize his queries for him. But I >> don't see why the best solution to your use case - which is quite a >> minority case, though easily overrepresented in a technical environment - >> is to build a sort of "nuclear bomb" protocol that, if widely adopted, will >> destroy most of the existing practices in the DNS "ecosystem" (I'm using >> the word that was being used at ICANN's DNS Symposium in Montreal), >> including the basic security measures that protect the 99.9% of the users >> who are not technically smart. >> >> >> Perhaps I’m misunderstanding: are you saying the folks who provide >> resolution services in a DoH world would have incentive to not follow basic >> security measures? >> >> Regards, >> -drc >> > > At my university, our security group watches DNS rpz logs and DNS traffic > logs for signs of malware, and takes action. In a DoH world, I cannot > imagine every third-party DoH provider giving our security group that > information. They will follow their own security measures, but will still > affect ours because we lose visibility. > > -- > Bob Harold > > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop > >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
