> I'm not convinced making some tiny form of this information available from > the local DNS cache is of any more value to an attacker than the myriad of > other ways they can learn the same information.
I am sure that there are plenty of people who can use information from cache to prime attacks or use that information just to snoop into one's private life. > Most importantly I will claim for the moment that these kinds of attacks > cannot be eliminated by simply preventing cache snooping. They are > indicative of flaws in other areas and while they may be mitigated slightly > in the near term by preventing cache snooping, they can only be prevented by > correcting other flaws. So what? We open another privacy and security hole we already trying to close? >> It also complicates the end-user experience. If someone hardcodes my DNS >> servers into their machine and moves off of my network, lookups of >> popular, >> cached RRs will mostly work and other lookups will mysteriously fail, >> perhaps a week in the future after they've forgotten what they've done. >> It >> seems much more clear to just have nothing work until they fix their >> config. > > I'm not really concerned at all about such issues. Perhaps it is sad for me > to say so, but they are inevitably someone else's problem, not mine. Here's the problem. You are trying to enforce your view, since it's your current problem. But I hope that's never going to happen in Unbound. We are supposed to fixup the old wounds and not open them again and again. >> The fact that it is in a cache or not and when it was retrieved is the >> sensitive data, not the public data that was retrieved. > > That information is not really any more sensitive than anything else done on > a _public_ network. It is. Since anybody around the globe could query the cache - he doesn't have to be MITM or sitting at the end points. > If anyone can show me any real (i.e. no hand waving or ranting!) attacks > where cache snooping is a very important contributor that cannot be replaced > by other mechanisms then I'll certainly pay attention. Ok, again. Reasoning "there are plenty of holes" so leave this open as well is not going to make internet safer. And I think we are really going offtopic - this is more general DNS issue than Unbound specific. Ondrej -- Ondřej Surý <[email protected]> _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
