@cstrotm After listening to the talk I ask myself if it's really a good idea to involve literally 8 servers into a single DNS request and calling that an improvement. Considering how many people fail to deploy proper DNS already when it comes to more than just an A record.

Shouldn't we try to make things less not more complex? And also things like why does a device vendor have a say in what DoH resolvers should be used/are trusted?

@sheogorath For a single request (getting to, there are only three server machines involved. The last two could be a single machine. That is the same machine count as with Do53 (one DNS resolver, one authoritative)

the other machines provide auto discovery "options". Not all need or will be there in each network, but it is good to have the different options

@cstrotm Good point. I'm just wondering how the real world deployment will be look like. Will the average sysadmin that already has to maintain a zoo of machines fine the time to configure or block all those details or will they just surrender and hand it over to some cloud provider, which I think is the logical consequence when things get too complex as you suddenly need expert teams for those base services.


DNS admins need to know about x509 certs and need to learn how to troubleshoot TLS issues.

Anyone who can run Apache or NGINX with HTTPS can do encrypted DNS as well.

It "is" new stuff, and the "old" stuff will not go away, so yes, it raises the complexity

Those admins that stay fresh with modern system administration will adapt.

The other will have problems (but not only because of DoH, also because of IPv6, PvD, and other new stuff)

>> And also things like why does a device vendor have a say in what DoH resolvers should be used/are trusted? <<

that is not a feature of the protocol, but of the modern (commercial) operating systems.

Linux/BSD might use this as well to securely resolve the addresses and configuration data about their package repositories.

I see nothing wrong with that.

@cstrotm I mean, I can definitely see why vendors want that, but not necessarily why users want that. Wouldn't that also become an angle for censorship again? As in "To distribute your devices in our country you have to only allow our somehow state-law-compliant DoH Servers as Endpoints"? Or is this somehow technically prevented (which I currently don't see how)?

But mhm, maybe I try to solve society problem with tech again :|


That could be, but it would be visible for everyone looking into the DNS responses from those vendors/services.

We can't prevent state actors snooping at data, but DoH might make it transparent (which in the case of DNS is not the case today).

Sign in to participate in the conversation
Sheogorath's Microblog

This is my personal microblog. It's filled with my fun, joy and silliness.