I think the paper is showing why end-to-end DNS privacy is not practical. Fortunately, that is not the only model on offer.
http://tools.ietf.org/html/draft-hallambaker-privatedns-00 What I propose in Private-DNS is that we begin by taking the DNS resolution service inside our trust envelope and make it a chosen trusted service. At present the default configuration is that the resolver is deemed to be 'untrusted' even though it is obviously performing a trusted function. I think this is just common sense regardless of whether we use DNSSEC, Private-DNS or whatever. Taking a service as important as discovery from random network locations is just stupid. What I propose is that all DNS messages be encrypted but the encryption context be hop-by-hop rather than end-to-end. So if us choose dns.comodo.com as your resolver service the packets from your client to dns.comodo.com would be encrypted and requests out from dns.comodo.com would be encrypted. But dns.comodo.com would see all your traffic. The reason for this approach is precisely that we are looking to prevent traffic analysis rather than provide message layer confidentiality. So I am not that worried about the resolver service might defect, provided that I get to choose who provides that service. What matters to me is that a third party can't intercept that traffic. In the model I am suggesting the DNS resolution service is going to be aggressively pre-fetching DNS queries in any case so 99.5% of queries get answered from cache. Since I wrote the paper my views on DNS and DNSSEC have evolved. I still think DNSSEC has a role and it is useful to check records in the resolver. I don't see the utility in end-to-end DNSSEC except for TLSA records and other security policy type records. What matters to me is that my client connects to the intended end point. I really don't care that it connects to the IP address specified by the domain name owner. If I want to protect communications against traffic analysis, I am going to be rewriting those in any case. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
