> Stephane Bortzmeyer <mailto:[email protected]> > Thursday, October 23, 2014 9:59 AM > On Wed, Oct 22, 2014 at 01:08:46PM -0700, > Paul Ferguson <[email protected]> wrote > > It is already known (draft-bortzmeyer-dnsop-dns-privacy-02.txt, > sections 2.5 and 3) and, as Phillip Hallam-Baker noticed, it may be > seen as a feature, not a bug.
since my company has a big passive dns investment, i should chime in here. +1. capturing dns traffic off the wire is difficult and unreliable, requires reassembling fragmented udp, requires reassembling tcp sessions, requires guessing the bailiwick, and misses off-the-wire events like cache misses. but also, and importantly, it risks having a network operator collect passive dns traffic from down stream without having explicit permission from each name server operator. we work hard at farsight to ensure that our sensor operators always have such permission if they are running our sensor code on a span port or passive ethernet tap rather than on a name server itself. (our sensors is just a BPF app so it doesn't care where it runs.) for a lot of reasons, including privacy protection, we're developing 'dnstap' (see https://dnstap.info). this is a small patch for recursive name servers that instruments parts of the data and control planes. it is not service affecting in the way "query logging" can be. it gathers off-the-wire events like cache purge, and gives reliable signaling for bailiwick. and most importantly for privacy: it runs inside the recursive name server, such that it cannot collect data without server-by-server configuration, cooperation, and permission. i see no problems for passive dns from encrypting more of DNS on the wire, because we're moving off-the-wire anyway. that url again is https://dnstap.info, and both the software and protocol is apache-open-source-license-v2.0. there are patches for kdig, knot, and unbound. work is about to start on bind9. we don't have an nsd or powerdns story yet. vendor support from microsoft, nominum, cisco, and other non-open-source name server implementors would be welcomed. -- Paul Vixie
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
