On Oct 6, 2014, at 7:47 AM, Daniel Kahn Gillmor <[email protected]> wrote:
> On 10/06/2014 08:44 AM, Stephane Bortzmeyer wrote: >> [Keep [email protected] in the loop only if it is substantive comments on >> the WG creation, please] >> >> On Fri, Oct 03, 2014 at 10:38:35AM -0700, >> The IESG <[email protected]> wrote >> a message of 68 lines which said: >> >>> The primary focus of this Working Group is to develop mechanisms >>> that provide confidentiality between DNS Clients and Iterative >>> Resolvers, >> >> I do not see why the group is limited to this point. > > But it is not limited. The full text of the paragraph you've quoted is: > >>> The primary focus of this Working Group is to develop mechanisms that >>> provide confidentiality between DNS Clients and Iterative Resolvers, >>> but it may also later consider mechanisms that provide confidentiality >>> between Iterative Resolvers and Authoritative Servers, or provide >>> end-to-end confidentiality of DNS transactions. Some of the results of >>> this working group may be experimental. > > So the argument appears to be that we should focus on standardizing > private communication between clients and resolvers, but if we happen to > be able to solve private between resolvers and authoritative nameservers > as well, that would also be considered in-scope. That seems right to me. Two of the operational problems with adding encryption between iterative (recursive) resolvers and authoritative servers that keep being brought up are DoS-by-crypto and establishment of trust. And opt-in, always-oppurtunistic approach could work, although we would then probably have the "you should never encrypt operations traffic" and "opportunistic is not good enough for my particular security scenario" discussions all over again. --Paul Hoffman
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
