'The inmates have taken over the asylum': DNS godfather blasts DNS over HTTPS adoption

www.theregister.co.uk | 10/23/2018 | Staff
Click For Photo: https://regmedia.co.uk/2018/10/23/asyluminmate.jpg

The Internet Engineering Task Force (IETF) has formally adopted DNS-over-HTTPS as a standard, and reignited a debate over whether it's a danger to the web's infrastructure.

The IETF gave the proposal its blessing late last week by elevating it to Request For Comment (RFC) level as RFC 8484.

Idea - Confidentiality - Integrity - DNS - Lookups

The idea was to guarantee the confidentiality and integrity of DNS lookups, as co-author Mozilla's Patrick McManus explained to The Register in December 2017, because governments and bad actors alike interfere or snoop on DNS requests.

Encryption provides confidentiality, quite simply because instead of sending a plain-text DNS request over UDP, RFC 8484 sends it over HTTPS, secured by Transport Layer Security (TLS). Integrity protection comes from using the server's public key to guarantee that nobody's spoofing the DNS server.

Things - Coder - Contributor - IETF - Work

Those sound like good things, but Mauritian coder and contributor to IETF work Logan Velvindron pointed out to The Reg that not everybody's happy about the RFC.

Paul Vixie, one of the architects of the DNS, reckoned it's nothing short of a disaster. On Friday, he tweeted: "RFC 8484 is a cluster duck for internet security. Sorry to rain on your parade. The inmates have taken over the asylum."

Vixie - DoH - Architecture - DNS - Plane

Vixie has said that DoH is incompatible with the basic architecture of the DNS because it moves control plane (signalling) messages to the data plane (message forwarding), and that's a no-no.

Network admins, he argued on Twitter, need to be able to see and analyse DNS activity, and DoH prevents that. "DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH."

DoT - DNS - TLS - RFC - Standard

DoT is DNS over TLS, RFC 7858, a separate standard from DoH that works towards the same integrity and privacy aims.

Which matters more, network...
(Excerpt) Read more at: www.theregister.co.uk
Wake Up To Breaking News!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!