Hi Jacob, > > You will not know if I will authenticate until you've attacked my > traffic. This is game over for an attacker that must go undetected. > Encryption puts their head in the sand and if they try to pull it out, > they risk detection at a non-zero cost. > > Make them pay.
If you use that kind of encryption without authentication in other scenario, I would agree with you that it helps because only the first point of communication the attack might happen. But here for resolver.. ..NO..., this is not the first point. Either the attacker is prepared to receive your information or not. If he is prepared, he is already your resolver and you connect directly to him and hand on your data to him. Then who are you afraid to retrieve your data?? if he is not ready to retrieve your data or eavesdrop, then since this communication is not continuous and only there is two messages exchanged with the DNS resolver, then he has no chance to receive your data. Did encryption help here? No... why? Because the attacker wasn't yet prepared otherwise he was your resolver. In other words, encryption help if there is continuous data exchange for a certain time (but not only 2 messages) that might allow unwanted person to eavesdrop. Best, Hosnieh _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
