On Fri 2018-12-14 22:58:09 +0000, Stephen Farrell wrote: > I'm probably exposing my lack of DNS-clue, but I wonder if it > is/isn't possible to embed a "like/want/offer privacy" signal > in the DNS protocol, rather than in the data carried by the > protocol? (Regardless of whether the latter might be done via > funny names or new/additional RRs.).
i think you're suggesting some sort of "starttls"-like mechanism --
start a DNS connection to an authoritative server, and then the server
lets you know "hey you might also want to try me in the future via
private channels"
is that what you're proposing?
if so, it has the unsatisfying aspect common to all starttls-like
proposals: it can be trivially stripped.
it is also unsatisfying in the DNS world because there typically isn't
a handshake -- the first packet contains the sensitive data that you
might want to keep private.
It could certainly help over the longer term against a passive monitor
-- the initial privacy leak could be amortized over many future
communications between the resolver and the authoritative -- but it
still leaves the first connection to that server unprotected even
against passive attack, which is something that signalling in the name
could potentially avoid.
--dkg
signature.asc
Description: PGP signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
