On Mon, 13 Apr 2015, Daniel Migault wrote:
Just for information, what are the technical reasons IPsec has not been considered at all for providing DNS privacy.
People can already use an IPsec VPN and a remote DNS server without anything new from IETF? I think additionally, IPsec has a higher barrier to entrance because it needs more priviledges to build a system host tunnel as compared to an application encryption tunnel like (D)TLS. Also, IPsec does not yet allow the client to remain anonymous - although we're almost done that part with draft-ietf-ipsecme-authnull. And you _can_ already use that if you support IKE authnull to 193.110.157.123 (although it does not yet support one-sided auth where the IKE client verifies the IKE server) Having an IPsec protected DNS connection is a very good and solid solution. But an individual application cannot decide to use such encrypted DNS. Using an application based (D)TLS would allow an application to make encrypted DNS possible without requiring the system core OS to have some support for that.
The use of IPsec could re-use existing extensions like NAT traversal, compatibility with UDP/TCP, resilience to change of IP addresses... and this without creating new extensions.
But you get those as well using (D)TLS ? Paul _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
