(NB: I've revised the Subject line to reflect that this has moved off-topic from ILNP and is really purely about DNS, DNSsec, and alleged privacy issues.)
On 10 Jun 2010, at 15:48 , Patrick Frejborg wrote: >> Earlier, Ran Atkinson wrote: >> Separately, DNS with DNS Security can be used to retrieve >> the revised Locator value(s) from the DNS > > Found this on wikipedia > http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Zone_enumeration_issue.2C_controversy.2C_and_NSEC3 > > "In addition, the information from an enumerated zone > can be used as a key for multiple WHOIS queries; this would > reveal registrant data which many registries are under strict > legal obligations to protect under various contracts. I don't have any reason to believe that the quoted claim above is true. In fact, I have some evidence (below) that the claim is not valid/correct. For example, more than one registrar today simply returns its own contact information in response to a WHOIS query for a domain that has a private registration. Multiple queries (for the same domain or for a variety of different domains) don't reveal anything at all, except that some huge number of domains that happen to have been coincidentally registered by the same registrar. All of those privately registered domains will return identical information (e.g. the registrar's name and the registrar's contact information, but will NOT return the registrant's name or contact information) from a WHOIS perspective, so there is no privacy issue. More generally, there is nothing in DNSsec that requires a registrar to reveal private registrant data. Keeping that registrant data private is solely a registrar issue, one that can be solved entirely within a given registrar, with no changes to the DNS protocol (and no changes to the WHOIS protocol either). > It is unclear whether DNSSEC is legal to deploy at all in many > countries, unless such lists can be kept private. That information can be kept private, with one example approach described above, so there is no actual issue here. No protocol changes are needed for this in any event. > DENIC has stated that DNSSEC's zone enumeration issue violates > Germany's Federal Data Protection Act, and other European countries > have similar privacy laws forbidding the public release of certain > kinds of information." This is why DNSsec also has other mechanisms (e.g. NSEC3) that don't enable zone enumeration. Those mechanisms (e.g. NSEC3) are widely available now [1], well before ILNP is widely available. so there is no current issue here either. Yours, Ran [1] According to this URL, the very commonly used BIND implementation of DNS and DNSsec has included NSEC3 in shipping releases for over 2 years already: <http://www.isc.org/software/bind/new-features/9.6> Other DNS implementations also exist with NSEC3 support. BIND is simply a convenient example to cite, because it is especially widely deployed at present. Yours, Ran _______________________________________________ rrg mailing list [email protected] http://www.irtf.org/mailman/listinfo/rrg
