On Thu, Jan 21, 2021 at 03:36:41PM -0800, Wes Hardaker wrote: > "John Levine" <[email protected]> writes: > > > They think DoH is swell, but not when it bypasses security controls > > and leaks info to random outside people > > At least 15% of network operators seem to agree. > > https://www.isi.edu/~hardaker/news/20191120-canary-domain-measuring.html
i think the makers of canary-respecting DNS stub resolvers are still figuring things out, and that if canary domains become prevalent, especially among surveillance capitalist ISPs or surveillance authoritarian states, the days of canary domains will change or end. for my own networks, i won't install a canary domain, because that's a late-imposed change, unreliable, and a negative externality. any stub resolver who uses any DNS service other than the one i hand out in my DHCP assignments will be removed from the network. (new behaviour should require new signalling. let networks who want to permit DNS bypass either by "use 8.8.8.8" or "use DoH" or otherwise, signal this by adding a new canary domain, or a new DHCP option. absent new signalling, behaviour should not change.) -- Paul Vixie _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
