Re: [Add] publication of DoH Resolver policies

[tirumal reddy <kondtir@gmail.com>]

On Mon, 27 May 2019 at 16:53, Jim Reid <jim@rfc1035.com> wrote:

> On 27 May 2019, at 11:59, tirumal reddy <kondtir@gmail.com> wrote:
> >
> > If the DOH server provided by the network offers the same level of
> privacy preserving data policy as the DOH server pre-configured in the
> browser, Why shouldn't the browser use the network provided DOH server ?
>
> How could the browser tell that both DoH servers have the same policy?
>

> How does the browser (or anything else for that matter) know what some
> arbitrary DoH server’s privacy preserving data policy is? Where will this
> be documented and published in a way that a web-based application or the
> end user can understand and then make an informed choice?
>

https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-03#section-10
defines a new privacy certificate extension that identifies the privacy
preserving data policy of the DNS server, it is in a machine-parsable
format.


>
> Now rinse and repeat that for other server-side policies: data retention,
> GDPR compliance, DNS filtering/blocking, TLS session resumption, ECS
> behaviour, QNAME minimisation, NXDOMAIN rewriting, query-related adware,
> etc, etc.
>
> Oh, and if some DoH server says “I do QNAME minimisation” (say), does the
> browser or end user simply take that on trust or would they somehow be
> expected to verify that for themselves?
>

End user typically does not trust DOH server in a untrusted network (e.g.
public WiFi network) and may only use the DOH server provided by trusted
network (e.g. Enterprise, Secure home networks), similar to the way users
disable VPN connection in specific networks and enable VPN connection by
default in other networks for privacy. In addition, the privacy extension
includes a URL that points to the security assessment report of the DNS
server by a third party auditor.

Cheers,
-Tiru