On Thu, 24 Oct 2014, D. J. Bernstein wrote:
I've never proposed "eliminating recursives" (caches). What I propose is complete _decentralization_ of the caches: you run your own trusted DNS cache on your own laptop/smartphone/etc., talking directly to the authoritative DNS servers---preferably with end-to-end encryption such as DNSCurve, but there are several advantages even without encryption.
With a modern browser, these two are pretty much the same thing due to in-application caching. So for the discussion on feasability of infrastructure, the argument is moot. Decentralising caches could actually be worse for dns privacy, as your query no longer stops in the big ISP pool to gain some anonymity, but instead links straight to you with specific TTLs on your personal cache expiry/re-fetch timers. Of course, you can get the best of both worlds by using "centralised" (read ISP) caches for your own caching (validating) server on localhost. Thanks to DNSSEC, we can rely on untrusted "centralised" caches. Of course that doesn't work for DNScurve because DNScurve only solves one little aspect of DNS security (transport encryption) and at the cost of not being able to use any non-local caches and pushing the crypto load of transport security completely onto the authoritative servers opening those up to CPU DOS attacks easier then quertying for ANY isc.org.
I'm also surprised at how little common-sense perspective appears in most discussions of DNS
I was surprised similarly, listening remotely to a CCC talk a few years ago :) Paul _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
