On 13/07/2021 17.56, Hollenbeck, Scott wrote:
Delegation-centric zones return name server IP addresses that are exposed in
subsequent recursive queries. The value proposition of encrypting those
addresses in a DNS response has to be weighed against [...]
I think that's a bit too simplified description. Typically it's the
QNAME that's privacy sensitive, commonly the label that's necessarily
sent to TLD operators already. It's becoming quite common to host DNS
and content at larger providers, in which case no IP address will be
that much identifying.*
But I can't see benefit in encryption towards root servers. And QNAME
minimization is the first step. (For root there are various "local"
approaches, too.)
--Vladimir
* Lots of privacy caveats often remain: the metadata of connections to
all IPs being sufficiently unique by itself, or encrypted client hello
missing in TLS. Still, those sources seem harder to mine than DNS itself.
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
