Stephane, On 09/29/2013 07:28 PM, Stephane Bortzmeyer wrote: > On Fri, Sep 27, 2013 at 11:41:25AM -0700, > Karl Malbrain <[email protected]> wrote > a message of 138 lines which said: > >> I'm concerned about three DNS security problems: > > You're not concerned about the fact that DNS servers (your resolver, > and the authoritative name servers) get a lot of data and can misuse > it? It seems to be that it is one of the main weaknesses of DNS, when > it comes to confidentiality. A big public resolver, like OpenDNS or > Google Public DNS (both located in PRISMland) can learn a lot of > things about its users (this has been used often to detect malware, > only from its DNS requests, but it could be used for more sinister > purposes). A big TLD (say, for example, .com, also located in > PRISMland) can also learn a lot. > > And no amount of cryptographe between the client and this server will > help.
Does that mean that there's scope for a BCP on ways of deploying DNS that are more (or less) privacy friendly? While I guess a bunch of n/w operators might not care, I'm pretty sure some would. (And could perhaps get some competetive benefit from demonstrably caring via following such a BCP.) Additionally, if you're arguing that there's no useful role at all for confidentiality in DNS then I think I'd argue that confidentiality could well be useful, but that it won't by itself be sufficiently useful to be worth deploying and so is only worthwhile in conjunction with some already privacy-friendly deployment of DNS servers. Sound wrong? Or right? If right, then maybe there's scope for some experimental RFC(s) to go with that BCP. Volunteers very welcome as usual:-) If you're one, just go write the internet-draft and we'll catch up with you after you've posted a link here. Cheers, S. > _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
