On 8/20/14, Hosnieh Rafiee <[email protected]> wrote: > Hi Jacob, > >> >> You will not know if I will authenticate until you've attacked my >> traffic. This is game over for an attacker that must go undetected. >> Encryption puts their head in the sand and if they try to pull it out, >> they risk detection at a non-zero cost. >> >> Make them pay. > > If you use that kind of encryption without authentication in other scenario, > I would agree with you that it helps because only the first point of > communication the attack might happen.
I don't think I understand what you are trying to express in the above statement. Could you rephrase it? > > But here for resolver.. ..NO..., this is not the first point. Either the > attacker is prepared to receive your information or not. If he is prepared, > he is already your resolver and you connect directly to him and hand on your > data to him. This is false. Sniffers are not always on the same path as injectors. A sniffer is not a resolver. A resolver may be malicious. The network may try to impersonate my resolver. In the second case, I'd like a way to detect that someone is trying to impersonate (eg: authentication via DANE record, etc) my resolver. In the first case, I'll use a resolver that I trust. > Then who are you afraid to retrieve your data?? I'm not sure that I understand your quesiton? > if he is not ready to retrieve your data or eavesdrop, then since this > communication is not continuous and only there is two messages exchanged > with the DNS resolver, then he has no chance to receive your data. Did > encryption help here? No... why? Because the attacker wasn't yet prepared > otherwise he was your resolver. Huh? > In other words, encryption help if there is continuous data exchange for a > certain time (but not only 2 messages) that might allow unwanted person to > eavesdrop. If I configure my stub to trust my recursive resolver from the start, I should have zero unencrypted connections. If I am a locally verifying, DNSSEC enabled recursive resolver, I would like the traffic to look identical (per connection) as if it was from an encrypted stub resolver. All the best, Jacob _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
