On Wed, Apr 2, 2014 at 3:37 PM, Stephane Bortzmeyer <[email protected]> wrote: > On Tue, Apr 01, 2014 at 02:43:10PM -0700, > Wes Hardaker <[email protected]> wrote > a message of 23 lines which said: > >> http://datatracker.ietf.org/doc/draft-hardaker-dnse-split-key-dns/ > > You mention the risk coming from the resolver. That's why, IMHO, we > should recommend people to run a local resolver, as much as possible > (I'm aware it may not always be possible, for instance for constrained > devices). See section 2.2.1 of draft-bortzmeyer-dnsop-privacy-sol-00 > > This leaves us with the authoritative name servers learning the > request.
... 'm still confused by this bit. If I'm running a local resolver and my machine makes a connection to ns1.example.com, presumably it's because I'm trying to lookup a record in the example.com zone (assuming ns1.example.com is only authoritative for a small number of zones). Sure, I could be looking up www.example.com or mail.example.com or foo.example.com but it's still clear I'm going to example.com.... As an example of this, if my resolver makes a connection to 199.193.245.198 it's quite clear I'm going to http://www.smartrecovery.org/ (I wanted to use Alcoholics Anonymous, but they use ns.rackspace.com, just like ~2,500 other folk). Perhaps we don't care, because folk who run their own DNS likely run "dedicated" web servers, and so it's clear for someone on the wire where they are going anyway?! W > Caching protects a bit. For the rest, that's where qname > minimisation or minimization comes into play. The authoritative name > servers will still learn things but not as many things. See > draft-bortzmeyer-dns-qname-minimisation > > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
