On Wed, Oct 22, 2014 at 5:02 PM, Paul Ferguson <[email protected]> wrote:
> On 10/22/2014 1:34 PM, Paul Hoffman wrote: > > > Passive DNS collection is done at recursive and authoritative servers. > How would encryption between the stub and its upstream recursive affect the > ability to collect passive DNS data? > > > > My concern here is in the "end-to-end" discussion, e.g. any obfuscation > or encrypting DNS traffic in the path in number 2 below basically breaks > pDNS: > > 1. stub to recursive > > 2. recursive to authoritative > > 3. zone maintainance > I think you are going to find that the existence of pDNS has just turned into a use case for #2 rather than a reason against doing it. To be clear, any US academic using pDNS data who has not gone through human subjects review had better do that right now. Its not just their career at risk, if they are working under a US federal govt grant they may be breaking the law. At any rate, nobody seems to like DJB's ideas of eliminating recursives or doing anything that would prevent caching.So the recursive will stay and have visibility of the traffic. Which in my view means that the recursive has to be a trusted service and the notion of promiscuous recursive resolver use has to be stamped out. I may have misunderstood a portion of the discussion regarding "both > ends of the end-to-end", but that's probably what I get for responding > during a meeting. :-) Yet another reason why recourse to the end-to-end principle rarely helps clarify security questions because the ends are rarely where you would want them to be and won't be people till Apple start selling their cyborg implants that can offload the ECC calculations.
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
