On Mon, 16 Nov 2020, Brian Dickson wrote:
Yes, this is a huge gap in the fundamentals for any privacy architecture (ADoT), which is rooted in the unsigned nature of NS records regardless of the security state of a delegation (DNSSEC or not).
The IP connection to (small) nameservers will always leak information, even if perfectly encrypted and obtained without privacy. Just by connecting to say ns1.nohats.ca, any observer knows you are connecting to either "nohats.ca" or "libreswan.org". The only way out of that is a distributed decentralized DNS cache. We have those, but they are under control of commercial enterprises, and most of them fall under 1 country's government.
I stand corrected. Downgrade resistant only if the delegation information is protected (NS names in particular).
Protecting the delegation NS records against an on-path adversary (between resolver and TLD) does not have any nice solutions.
This is basically the same problem as ESNI. Except ESNI fixed it by pulling information from (encrypted) DNS :) Paul _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
