Dear all, Let's imagine that we actually want to make it hard for anyone to figure out what data is being requested via DNS. DNSCurve won't work: the nameservers involved learn what the request is and who made it. Combining it with DNSSEC+ISP cache also won't work: the ISP learns what you requested from it, and that you made the request.
This doesn't change with QNAME minimization: caches still learn what the request was, and some servers have to see the entire request, including servers that aren't necessarily trusted. It doesn't change if the entity actually doing the lookup is at the other end of some connection, but merely moves the problem around. Even if you share the entity doing the lookups with many other people, this may still be an issue until we get to large enough numbers where the entity becomes a real target it in its own right. Can we actually solve this problem? Yes: there are PIR protocols that force an attacker to compromise multiple independent parties to learn the results of a query. Many of these PIR protocols are very efficient. More work is needed to determine how inefficient they are, impacts on the time taken to respond to a query, and what the best algorithm is. The cost is that caches may have to do slightly more work, and communication costs will probably increase significantly. How to load data in from the DNS into the caches when it isn't found is a problem I'm still thinking about. Sincerely, Watson Ladd _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
