Shane Kerr wrote: > I'm basically thinking that the next step is encrypting the > resolver-to-authority session, right? Steps beyond that to increase > privacy are much tricker, since they involve defeating traffic > analysis, but it seems like encrypting resolver-to-authority is > more-or-less well understood.
It seems like you would want to encrypt traffic between AXFR client and AXFR server as well. Even if the data in a zone is public, being able to collect the history of a zone (e.g. to be able to tell the exact instant a particular record of interest was added to it) may be useful to an attacker. And key distribution between AXFR clients and servers is probably even more well understood than key distribution between resolver and authority. -- Robert Edmonds _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
