Hello,
There are currently four (IETF) working groups focused on DNS with
three of them having privacy as part of their charter. I read
draft-ietf-dprive-rfc7626-bis-03 as I was looking for a document
which might be related to those topics.
Section 1 of the draft has a tutorial of how DNS works. What is the
audience for this draft?
Section 3.1 of the draft discusses about the claim that "the data in
the DNS is public". The claim is supported [1] by one of the authors
of the draft. The draft states that the claim makes sense. What is
the meaning of the "data in the DNS"? Does "is public" mean that the
"data" is not confidential?
Section 3.2 discusses what a user does and use a DNS query related to
email as an example. Is the MUA expected to validated the MX RR or
is it the role of the MSA?
Section 3.4.1 discusses the lack of confidentiality in the design of
DNSSEC and equates privacy-aware with "secured against
surveillance". Mixing the pervasive monitoring and privacy aspects
creates ambiguity. For example, encrypting all the entire DNS
communication chain with adequate security mechanisms could mitigate
pervasive monitoring concerns. However, that does not address
privacy concerns as there is still entities which are able to collect
and process those DNS queries for secondary purposes.
The choice of resolvers was previously made by the network on which
the user was connected. Recently, the Internet Engineering Steering
Group approved the standardization of a mechanism so that the choice
can be made by a web browser. The data from the DNS query is, with
some exceptions, automatically transferred to a foreign
jurisdiction. The draft mentions in Section 3.5.1.1 that the
entities running networks might have a strong, medium, or weak
privacy policy. However, it misses a crucial aspect with respect to
privacy policies, which is the redress mechanism available to the user.
Section 3.5.1.3 states that user privacy can also be at risk if the
network operator blocks access to some remote recursive server. It
could be argued that it might be a filtering (or censorship)
technique. However, it does not have an impact on user privacy
unless there is an identifier which can be traced back to the user.
If I understood Section 3.5.1.5.2. correctly, the move to DNS over
HTTPS created more privacy issues because HTTPS functionality was
favored at the expense of privacy.
Section 3.6 of the draft states that the IAB privacy and security
program has some work in progress. Given that it has been over four
years, could an update be provided about that work in progress?
Section 5 discusses legalities within a European Union context and
concluded that there are no specific laws for DNS data in any
country. Did the working group conduct a worldwide study to find
evidence of that?
Regards,
S. Moonesamy
1. http://r.elandsys.com/r/32470
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
