Some comments in-line.
On Mon, Nov 11, 2013 at 11:27 AM, Wiley, Glen <[email protected]> wrote: > Stephane, > > Thanks for taking the time to capture this issue in a draft. I am very > supporting of providing a means to make DNS confidential. > > A few comments from a reviewers perspective: > > Section 3.2: > > I realize that this is obvious, but it might be worth noting that there is > often (typically) a network connection made to the subject of a DNS query > sent from a stub resolver. For example after sending a query for > www.example.com I am likely to make a connection via TCP to the address > returned. This fact reduces the value of obscuring DNS queries at the > last mile unless the most aggressive measures are taken (a VPN or tunnel). > If an eavesdropper can dump traffic on the wire then they will see > outbound connections to www.example.com and so it doesn't really matter > whether they were able to see the DNS query. > > While I agree it reduces the value, it doesn't eliminate the value. One reason for this is services which provide different content at the same IP, often depending on the HTTP Host: header to disambiguate among the resources available. The DNS query tells you which resource was the target even if the HTTP flow was protected by TLS. The same is true when someone uses a stub resolver to query for DNS records using a local network before passing the traffic through a VPN (there are a variety of configurations in which this can happen). regards, Ted > Section 3.3.3: > > While I agree with the sentiments in this section, is this in scope for > this draft? This feels a little more like a reprise of arguments in favor > of DNSSEC which does not address privacy at all. > > Section 4: > > There is enough overlap between sections 4 and 3.3 that I would combine > section 4 and section 3.3 to address the problem of properly handling > packet traces and captured DNS traffic in a way that protects end user > privacy. > > Section 6.1 > > It feels as though this section dives into the solution rather than the > problemÅ .something that needs to be done, but it feels out of scope for > this draft. This could be addressed by changing the abstract of the draft > or by reducing the content in this section. > > > > -- > Glen Wiley > KK4SFV > > Sr. Engineer > The Hive, Verisign, Inc. > > > > > On 11/11/13 7:10 AM, "Stephane Bortzmeyer" <[email protected]> wrote: > > >On Wed, Sep 25, 2013 at 02:40:59PM +0200, > > Stephane Bortzmeyer <[email protected]> wrote > > a message of 13 lines which said: > > > >> May be starting with the more modest but certainly useful "DNS > >> privacy considerations" Internet-Draft? Such a document, just > >> documenting the problem, would be a good idea, IMHO. > > > >Done. > >http://tools.ietf.org/html/draft-bortzmeyer-perpass-dns-privacy > >_______________________________________________ > >perpass mailing list > >[email protected] > >https://www.ietf.org/mailman/listinfo/perpass > > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass >
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
