On Oct 23, 2014, at 2:52 AM, Stephen Farrell <[email protected]> wrote: > But out first job is to define an agreed interoperable way of getting > confidentiality.
Oh, that's easy... Given memory and bandwidth are so cheap, instead of simply asking for a single answer, we could combine Warren's draft and QNAME minimization: the resolver could cache the entire zone for every zone in a query. That is, if asked for "foo.example.tld A?", it would do a zone transfers of the root, "tld", and "example.tld". Popular zones (as defined by local policy) could be prefetched on resolver startup (and refreshed according to normal zone maintenance semantics). Backwards compatible, interoperable, end user lookup performance would be improved (at least for popular zones or subsequent queries in a zone), and the information Evil Surveillers of resolver to auth traffic would be able to get would be vastly reduced without need of any stinking crypto or key management nightmares. Now, we just need to convince zone administrators to allow zone transfers from any/all resolver operators for confidentiality reasons... Hmm. There might be a flaw here... (with tongue firmly in cheek if that wasn't obvious) Regards, -drc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
