Hi, Working on an effective solution for confidentiality of stub to iterative resolvers seems an essential part of the WG's mandate. Input from P Vixie and others seems to have this moving.
Thanks to Ted Hardie and Mark Andrews for expanding on the issue of, and beginning a discussion of a potential solution to, respectively, the iterative to authoritative resolver DNS information leakage. DNS information is clearly public information. But that does not mean that one needs to publish *who* is accessing that public data. As an ananlogy: the collection of books in a public library may be considered 'public' information. Nonetheless, librarians expend effort to restrict access to the information of who is borrowing the items. i.e the information itself is public, but the information of who is accessing it does not need to be. I encourage the WG to agree on a manner for confidentiality between iterative and authoritative resolvers. I suggest that this would be an optional service (MAY not MUST), at least to begin with. The addition of encryption adds a considerable weight; UDP -> TCP and handshakes and ciphters. Thus, it may take some time before many authoritative resolvers are provisioned to provide confidential query services. Should the WG not wish to create the possibility of confidentiality the resolvers, I hope that it at least characterises the type and scope of what information is being leaked. Perhaps that should be done anyway. I am quite happy to begin work on just that, should that be desired. Regards, Hugo Connery -- Technical University of Denmark _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
