I. Under the "Certificates for hosts whose address was not obtained via DNS lookup" section, a few scenarios come to mind:
1. The host was accessed by IP address. 2. The hostname was resolved by a SOCKS proxy server. 3. The hostname was resolved using DNS, but the local resolver forwarded the query directly to a local authoritative server instead of recurring via the root. This scenario is probably quite common in corporate networks. II. Another privacy consideration is that the log DNS frontend learns the IP address of the recursive server, which in some cases may uniquely identify a person. This is not an issue if the recursive server is shared between many people, as a large ISP's would be, but what about folks running their own recursive servers? Some home routers run a DNS server - are they recursive or just forwarding? Even if a recursive server is shared, if it's not shared with enough people, it may be possible to identify a person by correlating requests made at around the same time. I think more data is needed before concluding that this approach provides the desired privacy. Could Chrome run an experiment which resolves a DNS record for a hostname of the form <client-public-IP-address>.<test-domain>, and measure how many different <client-public-IP-address>es per recursive server are observed over various time periods by the authoritative servers for <test-domain>? Regards, Andrew _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
