Stephane, Thanks for taking the time to capture this issue in a draft. I am very supporting of providing a means to make DNS confidential.
A few comments from a reviewers perspective: Section 3.2: I realize that this is obvious, but it might be worth noting that there is often (typically) a network connection made to the subject of a DNS query sent from a stub resolver. For example after sending a query for www.example.com I am likely to make a connection via TCP to the address returned. This fact reduces the value of obscuring DNS queries at the last mile unless the most aggressive measures are taken (a VPN or tunnel). If an eavesdropper can dump traffic on the wire then they will see outbound connections to www.example.com and so it doesn't really matter whether they were able to see the DNS query. Section 3.3.3: While I agree with the sentiments in this section, is this in scope for this draft? This feels a little more like a reprise of arguments in favor of DNSSEC which does not address privacy at all. Section 4: There is enough overlap between sections 4 and 3.3 that I would combine section 4 and section 3.3 to address the problem of properly handling packet traces and captured DNS traffic in a way that protects end user privacy. Section 6.1 It feels as though this section dives into the solution rather than the problemÅ .something that needs to be done, but it feels out of scope for this draft. This could be addressed by changing the abstract of the draft or by reducing the content in this section. -- Glen Wiley KK4SFV Sr. Engineer The Hive, Verisign, Inc. On 11/11/13 7:10 AM, "Stephane Bortzmeyer" <[email protected]> wrote: >On Wed, Sep 25, 2013 at 02:40:59PM +0200, > Stephane Bortzmeyer <[email protected]> wrote > a message of 13 lines which said: > >> May be starting with the more modest but certainly useful "DNS >> privacy considerations" Internet-Draft? Such a document, just >> documenting the problem, would be a good idea, IMHO. > >Done. >http://tools.ietf.org/html/draft-bortzmeyer-perpass-dns-privacy >_______________________________________________ >perpass mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/perpass _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
