On Wed, Jan 8, 2020 at 12:00 AM Christian Huitema <huitema@xxxxxxxxxxx> wrote:
On 1/7/2020 12:08 PM, Rob Sayre wrote:
The document contains the text:
"DoT, for example, would normally contain no client identifiers abovethe TLS layer and a resolver would see only a stream of DNS query
payloads originating within one or more connections from a client IP
address. Whereas if DoH clients commonly include several headers in
a DNS message'
Doesn't this just mean "if the DoT client is a good implementation, and the DoH client is not..." ?
I am not sure that this is just about client identifiers, but there is indeed a difference in complexity between DoH and DoT. Yes you could minimize it by using an absolutely minimal implementation of HTTP for DoH, but the very idea of DoH is to reuse existing HTTP infrastructure for DNS. In practice that means a much larger attack surface.
I think the concept you're describing is covered by RFC8484, as I wrote.
Is there something in this document's DoH considerations that's new?
thanks,
Rob
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
