On Wed, Oct 22, 2014 at 4:08 PM, Paul Ferguson <[email protected]> wrote:
> Apologies for the top-post and the length of quoted text, but I wanted > to retain some context of Vixie's remarks. > > I would also like to express my concern on the similar issues that Vix > expressed here, but perhaps a dprive "implementation and architecture" > document would be a good idea? > > I am afraid that this efforts gets too far down the path before > realizing how some implementation of the "privacy path" before realizing > that the scheme breaks things like passive DNS collection. > > For security operations folks, pDNS data collection is an imperative in > how we do reputation, etc., especially consider where the encryption > path is implemented: > What on earth is passive DNS and what is the use case for it? [I know, but I am certain most folk here don't or the conversation would be different] Your 'passive DNS' is just another form of intercept. I am not obliged to trust your good faith and promise not to abuse that information any more than the NSA, KGB[1] or PLA. Calling it imperative does not excuse having collected it without explicit consent. No, the fact that some folk like visibility into the system to collect data does not mean that they get to keep that data channel open in perpetuity because they got there first and have 'dibs' on that data. The data should not have been visible in the first place. Has anyone gone through a human subjects review before collecting this data? Seems to me the fact that RFC 1262 hasn't been updated in quite a while should worry a few people. [1] Like Windscale they rebranded when the name became notorious but its the same thing as before.
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
