Video:
The recording of my talk on DNS encryption (2020 update) is now online
@cstrotm After listening to the talk I ask myself if it's really a good idea to involve literally 8 servers into a single DNS request and calling that an improvement. Considering how many people fail to deploy proper DNS already when it comes to more than just an A record.
Shouldn't we try to make things less not more complex? And also things like why does a device vendor have a say in what DoH resolvers should be used/are trusted?
@sheogorath For a single request (getting to www.example.com), there are only three server machines involved. The last two could be a single machine. That is the same machine count as with Do53 (one DNS resolver, one authoritative)
the other machines provide auto discovery "options". Not all need or will be there in each network, but it is good to have the different options
DNS admins need to know about x509 certs and need to learn how to troubleshoot TLS issues.
Anyone who can run Apache or NGINX with HTTPS can do encrypted DNS as well.
It "is" new stuff, and the "old" stuff will not go away, so yes, it raises the complexity
Those admins that stay fresh with modern system administration will adapt.
The other will have problems (but not only because of DoH, also because of IPv6, PvD, and other new stuff)
@cstrotm Good point. I'm just wondering how the real world deployment will be look like. Will the average sysadmin that already has to maintain a zoo of machines fine the time to configure or block all those details or will they just surrender and hand it over to some cloud provider, which I think is the logical consequence when things get too complex as you suddenly need expert teams for those base services.