opt/chromium/policies/managed: update documentation about working preferred over ECH enforced

2024-11-22 03:09:22 +01:00 · 2024-04-25 11:00:40 +03:00 · 2024-04-25 11:00:40 +03:00 · 45cf5ecf61
commit 45cf5ecf61
parent 32883d5c73
1 changed files with 9 additions and 4 deletions
--- a/etc/opt/chromium/policies/managed/README.md
+++ b/etc/opt/chromium/policies/managed/README.md
@ -259,9 +259,11 @@ Sets Cloudflare with malware protection as the forced DNS-over-HTTPS server.

 If no DNS over HTTPS policy is used, this unlocks the setting. Enabling managed policies disable it by default.

-Incompatible with other `doh-*.json` file, because they set `"DnsOverHttpsMode": "secure",`.
-
-**_This also causes there to not be ECH._**
+My other `doh-*.json` set this as well, because `secure` doesn't allow
+downgrade to system resolver and Chromium seems somewhat unreliable with it often reporting
+`DNS_PROBE_POSSIBLE` and while this occassionally disables ECH, it works and
+my system resolvers are encrypted. I hope they will implement ECH with system
+resolver soon to fix this.

 ## `doh-dns0.json`

@ -297,7 +299,10 @@ their alternative port.

 Enables encrypted client hello (ECH) and Online Certificate Status Protocol (OCSP) (or Certificate Revocation List (CRL)?) checks.

-However ECH seems to require `"DnsOverHttpsMode": "secure"` from the `doh-*` files and OCSP seems to bypass that going to the system resolver.
+However ECH requires `"DnsOverHttpsMode": "secure"` which will break things
+(and thus my files don't enable it),
+or it will occassionally get disabled (I hope they implement it with system
+resolver soon).

 ## `enable-labs.json`