nsHostRecord should record if it was resolved using a secure DNS resolver
Categories
(Core :: Networking: DNS, enhancement, P2)
Tracking
()
People
(Reporter: valentin, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-triaged])
Goal: Prevent the use of HTTPS record fetched over unencrypted connections for certain features.
- Determine if OS resolver is using a secure transport. This will be essential in determining if the HTTPS record can be used for ECH or not.
- Expose secure transport on DNS record. Modify existing code to account for changes.
https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-dns_doh_server_settings
https://developer.apple.com/documentation/networkextension/dns_settings
When DoH was the only way to resolve HTTPS records all HTTPS records were secure. However, if we allow resolving HTTPS records using the native resolver, we should check if the OS is using a secure resolver (DoH, DoT) and provide this info to consumers.
Comment 1•1 year ago
|
||
Just to clarify: We're fine to use HTTPS records for ECH for as well. There's no downside, it's just has a limited benefit compared to using encrypted DNS.
It would still be great to expose this information, but I stress that we don't need it for deciding whether to use ECH. We should always do ECH if a HTTPS RR is available.
Description
•