Moin!
On 6 Nov 2019, at 0:13, Warren Kumari wrote:
I'd like some system where I can signal that I support DoT:
1: without my parent having to do anything (like be upgraded to
support DoT)
Why does the parent to be upgraded to DoT? It can just indicate a DoT
server for a child. These are normal DNS semantics.
2: without having people to probe and wait for a timeout
Again resolution follows the delegation, so that is the best place to
put this in.
3: with my users first connection protected, so they don't have to
lookup safe.kumari.net (to make sure that the resolver knows that
ns01.kumari.net supports DoT), or something like _dot.kumari.net
before looking up secret.kumari.net.
Well as long as you are ok with that someone wants to something in
kumari.net that should work. However maybe it is good to remind people
that public DNS data is public so keeping something secret is hard to
impossible. Also there has been some research presented at the ANRW
workshop that even when hiding all DNS traffic from an observer it still
is possible to digest what user visited by only looking at the IP
addresses. ( https://irtf.org/anrw/2019/program.html - What Can You
Learn from an IP). As said before if we really want privacy for users we
have to fully encrypt and obfuscate layer 3.
4: without expecting everyone to support DNSSEC.
Really. I can not see how we design something new that does not take
DNSSEC into account. That would negate a lot of hard work done by a lot
of people over decades. Would you design something new without taking
IPv6 into account?
So long
-Ralf
—--
Ralf Weber
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
