A comment of Olafur's has triggered me to write something I like about the charter, and also something in support of Stephane. Olafur wrote;
> So I think the charter is right in saying “will focus on last mile” and check > if that solution will scale to other cases. The charter uses the noun “mechanisms” not “solutions, and doesn't to indicate the development of single one-size-fits all solution, as I read it. It also makes explicit in the milestones that multiple “solutions” might be developed. Stephane’s existing draft about the problem statement has done a great job in leading us to understand that there are varied operational realizations that need to be served by IETF’s work here. Operationally end-systems reach the iterative resolver and beyond in different ways. Taking just two, there’s the case in which a stub and iterative resolver are both running on the same computer, and the case in which many end-systems reach the iterative resolver through enterprise name system management of some kind. In both cases, you can see that the end-systems are subject to having their queries linkable (in a privacy-revelation sense) and subject to compromise of their DNS private exchange, even if some mechanism for confidentiality of the stub-to-iterator is present. I’d like to see the working group propose and specify whatever the needed deployable mechanisms are to provide the end-system(s) with DNS private exchange, and not start with a mechanistic boundary. Best regards, Allison On Oct 6, 2014, at 11:26 AM, Olafur Gudmundsson <[email protected]> wrote: > > On Oct 6, 2014, at 8:44 AM, Stephane Bortzmeyer <[email protected]> wrote: > >> [Keep [email protected] in the loop only if it is substantive comments on >> the WG creation, please] >> >> On Fri, Oct 03, 2014 at 10:38:35AM -0700, >> The IESG <[email protected]> wrote >> a message of 68 lines which said: >> >>> The primary focus of this Working Group is to develop mechanisms >>> that provide confidentiality between DNS Clients and Iterative >>> Resolvers, >> >> I do not see why the group is limited to this point. 1) Some technques >> (such as hop-to-hop encryption) work exactly the same for this case >> and the case of resolvers<->authoritative. 2) The problem of data >> gathering by authoritative name servers is as serious as the problem >> of sniffing by third parties between a stub client and a resolver, and >> should be addressed at the same level. >> >> > > Well different techniques might be “better” in the two cases, i.e. connection > from client to Recursive resolver > may only be kept open for a short time while the connection from Recursive > Resolver to a BIG DNS data provider > might be always-on. > So I think the charter is right in saying “will focus on last mile” and check > if that solution will scale to other cases. > > Olafur _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
