On Wed, 20 Mar 2019 at 07:38, Joe Abley <[email protected]> wrote: > [There is actually a proposal at the bottom of this e-mail. Bear with me.] >
And it's a good proposal! > > Standardise this privacy mechanism, and specify (with reasoning) that it > should be implemented such that the existence of the channel (but not the > content) can be identified as distinct from other traffic by third parties. > Maybe specify use of a different port number, as was done with DoT. > I think this would alleviate most people's concerns... certainly it deals wth mine. I have difficulty believing it is acceptable to pro-DoH community though, considering the first of the two use-cases defined in the Introduction of RFC8484: "... preventing on-path devices from interfering with DNS operations..." I eagerly welcome the -bis document that removes this statement, and defines a new port number which DoH traffic SHOULD use. Those who choose to ignore that direction and create a covert channel using > port 443 instead will do so. Nothing much we can do to stop that today (I > guarantee it is already happening). The future is not really different. > Indeed. If everyone above-board is using port 5443 (to pull a number out of the air) for their DoH traffic, the below-board usage should be about as visible as any such usage is today. Of course when people shift the focus of the conversation from DoH in > general to resolverless DNS, and want to interleave DNS messages with HTML > and cat GIFs over the same HTTPS bundles, the pitchforks will need to come > out again. So keep them handy. > I don't actually own a pitchfork, but I'll keep my Woodsman's Pal sharp. :) > >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
