Hi, Many interesting points, and +1 to "Yes, please clarify your threat modeling in the i-d which you develop". ODNS looks interesting, and the more ideas in the pot the better.
However, lets not forget that we've just "approved" the re-charter. As I said, years ago, without attacking the recursive to auth layer all we have done is made DNS's security less than that of Tor (as a community using any small collection of recursers would be likely smaller than a Tor exit node). So, lets welcome new ideas, encourage their careful expression, improve them were possible, *and* get onto the recursive to auth layer. There is likely to be push back from large auth resolver players against adding encryption. However, Tony Finch's recent "here are some numbers" indicates that this is all doable. Nice to see BIND gaining next to top spot on their D(TLS) work with 9.11. Hats off to ISC, and whoever is working on that. One very interesting result there, is that TCP is near to UDP in response timing. Thanks to IETF's TLS heroes we can throw TLS 1.3 derived solutions at the TCP version of recursive to auth, and by extension of the DTLS stuff too. Lets be proud of the D(TLS) and padding work, be happy that implementors are implementing, push forward on recurse to auth and welcome all the interesting overlay network suggestions which help in disaggregating the (client net id, query) privacy smash. There is one subtle(ish) point: encryption solves the mass surveillance problem, the overlay solutions solve the aggregation problem. The first really addresses the work post "mass surveillance is an attack ...". I think we need *both*. Regards, Hugo PS: ODNS reminds me a little of Moxie's Convergence. I like the idea of having a random round robin of user-selected trusted authoritative ODNS (or whatever) resolvers in use. Its like using different internet search engines over Tor ; spray my quasi-anonymous logs all over the place. I'm apparently in (France, Ukraine, Australia, Brazil, ...) and my logs are at (Bing, DuckDuckGo, Yahoo, ...) and its all transport encrypted. Try and aggregate that! _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
