On 13. 11. 2013, at 10:49, Stephane Bortzmeyer <[email protected]> wrote: >> then they will see outbound connections to www.example.com and so it >> doesn't really matter whether they were able to see the DNS query. > > Read the draft again (section 3.2). For instance, the manager of the > TLD .example sees the DNS requests coming in his name servers but > typically cannot tap the TLS traffic to www.something.example.
JFTR with my TLD hat on I fully support Stephane's draft. Every little bit counts and neither chicken-and-egg nor too-long-to-deploy should not stop us from making security or privacy better. And the less information I see on TLD DNS servers the better. I (as an TLD server operator) don't want to know all the information since that makes me vulnerable to attacks and/or legal wiretapping. The SNI/TLS cleartext should motivate people to fix TLS and not to hinder the improvements in DNS area. O. -- Ondřej Surý -- Chief Science Officer ------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:[email protected] http://nic.cz/ tel:+420.222745110 fax:+420.222745112 -------------------------------------------
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
