On Tue, Mar 11, 2014 at 11:26 AM, Stephane Bortzmeyer <[email protected]>wrote:
> On Sun, Mar 09, 2014 at 11:28:18AM +0100, > Florian Weimer <[email protected]> wrote > a message of 20 lines which said: > > > In most jurisdictions, home networks use recursive resolvers whose > > operators are required by law to provide cleartext copies to local > > authorities. > > This (and other similar privacy-invasive cases) is precisely why we > need to improve DNS privacy. > > > Encryption won't change that. > > As mentioned in draft-bortzmeyer-dnsop-privacy-sol, encryption is > _one_ solution, it is not _the_ solution. At least two other > techniques can complement encryption, QNAME minimization and a caching > resolver on your own machine (possibly forwarding to the IAP's > resolvers). > > > If it is about securing broadcast media, just run IPsec between the > > CPE and the first ISP router with trusted ARP and routing tables. > > If it were so simple ("just run"), why isn't it pervasive? > The point is not to merely encrypt, the point is to allow control over the encryption. That is: * The client knows that the request/response SHALL be encrypted * The client and server both know that they are the only parties that could disclose the key -- Website: http://hallambaker.com/
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
