On 11/1/19 4:34 PM, Eric Rescorla wrote: > > Let me re-emphasize this from the original statement: "FOR PRIVACY". > > DNSSEC security is orthogonal to privacy, and is not a requirement > FOR PRIVACY. > > > I don't believe that that's correct in this case. The issue here is > that in order to provide confidentiality for the queries (in this case > to the authoritative) you need to authenticate the resolver. And that > means authentically learning the name of the resolver. So, for > instance, if I go the learn the NS for .com and the attacker gives me > www.attacker.com <http://www.attacker.com>, then he can learn my > queries. The name of the resolver can be authenticated by DNSSEC or > (less strongly) by having each query protected via secure transport.
Yes, we do want authoritative to be authenticated by the resolver, and DNSSEC might help with that. (As DNSSEC root TA seems more suitable for this than some web PKI CA list.) However, some people here also want additional "opportunistic mode" where authentication isn't compulsory, so I think that might be a compromise - without DNSSEC you'll only get protection against passive attackers.
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
