On Wed, 2020-11-18 at 10:14 -0500, Paul Wouters wrote: > On Mon, 16 Nov 2020, Brian Dickson wrote: > > > Yes, this is a huge gap in the fundamentals for any privacy architecture > > (ADoT), which is rooted in the unsigned nature of > > NS records regardless of the security state of a delegation (DNSSEC or not). > > The IP connection to (small) nameservers will always leak information, > even if perfectly encrypted and obtained without privacy. Just by > connecting to say ns1.nohats.ca, any observer knows you are connecting > to either "nohats.ca" or "libreswan.org".
But not what subdomain, if any, of those you are visiting. I do recognise that this is on the long tail of things we can try to protect. > The only way out of that is a distributed decentralized DNS cache. I always imagined that, given DNSSEC, we could bittorrent our way out of this. Then later people imagined we could blockchain our way out of this - but it hasn't happened yet. > > Downgrade resistant only if the delegation information is protected (NS > > names in particular). > > Protecting the delegation NS records against an on-path adversary (between > > resolver and TLD) does not have any nice > > solutions. > > This is basically the same problem as ESNI. Except ESNI fixed it by > pulling information from (encrypted) DNS :) That's "protecting the NS records against snooping", if I understand you correctly. The other problem is protecting the delegation NS records against meddling, for which various partial solutions have been provided but we have zero standardised today. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
