The recording of my talk on DNS encryption (2020 update) is now online
@sheogorath For a single request (getting to www.example.com), there are only three server machines involved. The last two could be a single machine. That is the same machine count as with Do53 (one DNS resolver, one authoritative)
the other machines provide auto discovery "options". Not all need or will be there in each network, but it is good to have the different options
@cstrotm Good point. I'm just wondering how the real world deployment will be look like. Will the average sysadmin that already has to maintain a zoo of machines fine the time to configure or block all those details or will they just surrender and hand it over to some cloud provider, which I think is the logical consequence when things get too complex as you suddenly need expert teams for those base services.
DNS admins need to know about x509 certs and need to learn how to troubleshoot TLS issues.
Anyone who can run Apache or NGINX with HTTPS can do encrypted DNS as well.
It "is" new stuff, and the "old" stuff will not go away, so yes, it raises the complexity
Those admins that stay fresh with modern system administration will adapt.
The other will have problems (but not only because of DoH, also because of IPv6, PvD, and other new stuff)
The original server operated by the Mastodon gGmbH non-profit