> On Wed, 20 Aug 2014, Hosnieh Rafiee wrote: > > > The important thing is stub resolver is not recursive resolver and > the expectation of querying different authoritative DNSSEC server for > this verification seems to be impractical. > > So you have two choices in that case: > 1 Become a dnssec validating resolver > 2 Setup a VPN to a validating resolver you trust > > Both are out of scope for this draft.
Then it appears that everything is out of scope... > > >> [Paul Wouters already explained that it makes no sense to authentify > >> a DHCP-obtained resolver - since DHCP itself is not secure. You > >> authentify hard-wired resolvers only.] > > > > :-) and my answer was that in this case, it does not make sense to do > any encryption because we are boiling the ocean water as the observer > already can play a role of resolver and access the data that we try to > hide him. > > No, an OBSERVER cannot. Only an active attacker can. In the absence of > 2) that is the best you can do, and this draft says it is the best you > SHOULD do. Again there is no observer when he can easily have a role of resolver (or active attacker) without being detected. There is either an active attacker or no one. Please tell me how long does it take that a query sends and receives. Isn't it more than a few seconds. Why should I as an attacker waste my time to use wireshark or etc to listen to all queries in a hope that I can receive some information. When I can execute easier step and retrieve much more information without being detected? > > Encryption without authentication is like someone hide his head in > the sand and assume that he has privacy while others can see his body > clearly. > > With nation state monitoring out of control, this is not true. > Especially when using non-local resolvers like 8.8.8.8. I presume that the attacker is either inside your own network or where he can access to the network that your DNS messages pass by. In both cases, he can easily spoof the IP address of google DNS server and all your traffic goes through him. This is the case where he is interested in your communication. So either you encrypt your data or not, he has this access. :-) is attacker a government, then he can again be an active attacker. Who can detect him? Best, Hosnieh _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
