On 2021-01-18 4:27 p.m., John Levine wrote:
They think DoH is swell, but not when it bypasses security controls
and leaks info to random outside people
Sage advice.
In the OPSAWG where RFC8520 (MUD) currently lives, we are trying to
codify advice to to IoT manufacturers about these things.
On Mon, Jan 18, 2021 at 04:27:20PM -0500,
John Levine wrote
a message of 18 lines which said:
> They think DoH is swell, but not when it bypasses security controls
> and leaks info to random outside people
I will certainly do as the NSA says, since they are experts in
privacy-related issues
On 1/22/21 3:10 AM, Tom Pusateri wrote:
Would it be ok to allow DNSSEC signed responses from any server? If they’re
signed and verified, does it matter how you got them?
Another missing part is privacy, i.e. even if you get exactly the same
answers, it doesn't imply you get similar (privacy)
On Thu, Jan 21, 2021 at 09:10:25PM -0500, Tom Pusateri wrote:
>
> > On Jan 21, 2021, at 8:59 PM, Paul Vixie wrote:
> >
> > (new behaviour should require new signalling. let networks who want to
> > permit DNS bypass either by "use 8.8.8.8" or "use DoH" or otherwise,
> > signal this by adding a
> On Jan 21, 2021, at 8:59 PM, Paul Vixie wrote:
>
> On Thu, Jan 21, 2021 at 03:36:41PM -0800, Wes Hardaker wrote:
>> "John Levine" writes:
>>
>>> They think DoH is swell, but not when it bypasses security controls
>>> and leaks info to random outside people
>>
>> At least 15% of network
On Thu, Jan 21, 2021 at 03:36:41PM -0800, Wes Hardaker wrote:
> "John Levine" writes:
>
> > They think DoH is swell, but not when it bypasses security controls
> > and leaks info to random outside people
>
> At least 15% of network operators seem to agree.
>
>
"John Levine" writes:
> They think DoH is swell, but not when it bypasses security controls
> and leaks info to random outside people
At least 15% of network operators seem to agree.
https://www.isi.edu/~hardaker/news/20191120-canary-domain-measuring.html
--
Wes Hardaker
USC/ISI
They think DoH is swell, but not when it bypasses security controls
and leaks info to random outside people
>From the summary:
Using DoH with external resolvers can be good for home or mobile
users and networks that do not use DNS security controls. For
enterprise networks, however, NSA