On Monday, 27 January 2025 14:05:42 CET Stephane Bortzmeyer via bind-users wrote: > On Mon, Jan 27, 2025 at 12:55:08PM +0000, > Marc <m...@f1-outsourcing.eu> wrote > > a message of 36 lines which said: > > What is this referring to DNSSEC? > > The way I understand it, it is referring to DoH and DoT. > > > What is the point of encrypting data with the current implementation > > of certificates. > > I fail to see the relationship with certificates. But if you want a > complete analysis of privacy issues in DNS, read RFC 7626 > <https://www.rfc-editor.org/info/rfc7626>.
I appreciate the confirmation of this being about DoT/DoH, thank you! So I suppose this would mostly affect ISPs then? From what I can tell, most ISPs (at least here in Belgium) do advertise their own DNS servers. That's then picked up by consumer / business routers, and either relayed as-is or with the router doing simple recursion. Either way, it would be the ISP answering the queries. It seems that here in Belgium, this is also taken advantage of to serve legal requirements such as banning torrent sites. These would then be redirected to a stop page, stating that downloading torrents is illegal. It's easy to circumvent by just using a public DNS server like Google / Cloudflare / Quad9 etc, and all parties involved are seemingly aware of that. This low-impact choice was made, because it was sufficient that most people just don't bother changing their DNS provider. But that also means that ISPs can still tamper with the responses based on government requirements, be it that they encrypt their responses to the customer with DoT/DoH or not. If there's no authenticity, then they can literally respond anything they want. Could be used lawfully or even organizationally (e.g. blocking Facebook at the workplace, because there's work to do), but it seems like a slippery slope. RPZ is something I use internally too, but I've always had mixed feelings about its use. Is the ability to rewrite responses really our call to make? If so, to what extent? And if authenticity is to be enforced from those with authoritative servers, to circumvent that problem if identified as such, wouldn't that just move the ball for ISP's to employ more intrusive methods to comply with the law? -- Met vriendelijke groet, Michael De Roover Mail: i...@nixmagic.com Web: michael.de.roover.eu.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
