> Il 26/10/2020 08:41 Ralf Weber <[email protected]> ha scritto:
>
> I also think that any list hardcoded in browser/OS deployments is a bad
> idea for a long term solution (that include auto upgrades of DoH servers
> ;-) and it looks like STS has already shown that. DNS being an
> distributed mechanism is far better suited as it does not require an
> update of the end device.
In fact, this "client-side hardcoded list vs TOFU discovery vs dynamic
discovery via DNS" discussion - also addressed by the post - comes up quite
often in a number of different places (HTTPS, DoH, DANE/MTA-STS...). I also
think that dynamic discovery is better and is the only solution fully in line
with the decentralized nature of the Internet, but I see the performance and
security advantages of hardcoding some values that are known to be valid and
stable (e.g., in the case of HTTPS, Google could do that for their own
properties). Perhaps a general analysis and best practice document on this
topic could be useful.
--
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
[email protected]
Office @ Via Treviso 12, 10144 Torino, Italy
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
