On 11/20/2018 11:39 PM, Vittorio Bertola wrote:
>> Il 21 novembre 2018 alle 5.44 Christian Huitema <[email protected]> ha
>> scritto:
>>
>> Maybe. Over time various entities have developed control techniques that
>> work by limiting which domains are resolved in a particular context, and
>> how they are resolved. But at the same time, the DNS is a widely
>> distributed database accessible through thousands of servers. Given this
>> wide availability, do you really believe that these control techniques
>> are stable in the long run?
> I would actually reverse the question: do you really think that the IETF
> should work to destabilize these control techniques (as it has been doing),
> rather than to make them more stable and, importantly, more transparent,
> standardized and accessible to everyone?
You make it sound like some aggressive attack, but it is a trade-off.
The IETF is working to enhance the privacy of DNS users, and the
authenticity of DNS responses. Doing so inevitably affects the
operations that relied on the lack of privacy or lack of security of DNS
operations.
At the same time, I observe that the techniques that try to block access
to DNS data from the middle of the network are fundamentally unstable,
because DNS data is widely available. If DTLS or DoH were not available,
users that want the data would just use private VPNs or a variety of
private proxies. The real challenge is thus to provide management
techniques that do not require intercepting traffic in flight, in
particular for the enterprise scenario in which the clients "opts in"
management control.
Also, if you analyze the enterprise scenarios, you observe a need for
both management and privacy. Enterprise managers would rather not see
employees perusing frivolous web pages during work time, but they also
don't want outside parties to analyze their web activities. Leaking DNS
usage patterns to third parties can reveal work in progress, internal
research, etc.
-- Christian Huitema
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
