Many interesting points, and +1 to "Yes, please clarify your threat
modeling in the i-d which you develop".  ODNS looks interesting,
and the more ideas in the pot the better.

However, lets not forget that we've just "approved" the re-charter.

As I said, years ago, without attacking the recursive to auth layer
all we have done is made DNS's security less than that of Tor (as
a community using any small collection of recursers would be likely
smaller than a Tor exit node).  So, lets welcome new ideas, encourage
their careful expression, improve them were possible, *and* get onto
the recursive to auth layer.  There is likely to be push back from
large auth resolver players against adding encryption.  

However, Tony Finch's recent "here are some numbers" indicates that
this is all doable.  Nice to see BIND gaining next to top spot on their
D(TLS) work with 9.11.  Hats off to ISC, and whoever is working on

One very interesting result there, is that TCP is near to UDP in
response timing.  Thanks to IETF's TLS heroes we can throw TLS 1.3 
derived solutions at the TCP version of recursive to auth, and by
extension of the DTLS stuff too.

Lets be proud of the D(TLS) and padding work, be happy that
implementors are implementing, push forward on recurse to auth and
welcome all the interesting overlay network suggestions which help
in disaggregating the (client net id, query) privacy smash.

There is one subtle(ish) point: encryption solves the mass surveillance
problem, the overlay solutions solve the aggregation problem.

The first really addresses the work post "mass surveillance is an
attack ...".  I think we need *both*.  

Regards,  Hugo

PS: ODNS reminds me a little of Moxie's Convergence.  I like the idea
of having a random round robin of user-selected trusted authoritative
ODNS (or whatever) resolvers in use.  Its like using different internet
search engines over Tor ; spray my quasi-anonymous logs all over the 
place.  I'm apparently in (France, Ukraine, Australia, Brazil, ...) and
my logs are at (Bing, DuckDuckGo, Yahoo, ...) and its all transport 
encrypted.  Try and aggregate that!

dns-privacy mailing list

Reply via email to