> Having analysed root-server > traffic via DITL data, I am acutely aware about the need for > *complete* privacy protection. Since the best way to keep things > secret is not to tell anyone, I see that LocalRoot fulfills that > promise. The other methods go a long way, but do not stop your > queries from ending up in, say, DITL data.
What I find problematic is that only a small part of query traffic is considered. Most DNS queries do not just go to the root and stop there. Queries continue TLDs, SLDs, etc. For an on path attacker, does a local root provide much protection? Not really, the attacker will see the query go to the TLD. With local root, root operators will not see the query but operators of TLDs will. Are root operators less trustworthy than TLDs operators. It seems that the answer is yes because root operators participate in DITL. So may be a local root is a good idea. When considering all upstream traffic of a resolver to answer a query, is the improvement provided by a local root significant? _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
