On Fri, 20 Mar 2015, Watson Ladd wrote:
What's wrong with DNScrypt?
It's just a preconfigured new VPN protocol where the clients need to know the public key of this new VPN protocol provider to setup a VPN limited to "DNS"Curve packets. - It is incompatible with IETF VPN protocols (IPsec/IKE, TLS) - It is incompatible with actual DNS packets - It does not support (from what I can deduce) DNSSEC - It requires chaining to an actual DNS resolver - It has no crypto agility (from what I can deduce) The Wijngaards drafts also defines a new VPN protocol, but for a very good reason - it is attempting to use the DNS protocol as transport, while remaining completely compatible with DNS (eg does not throw cruft over port 53 that is not DNS) Whether that is a good idea, I am still undecided on but to me it is a justification for why not using TLS or IKE/IPsec If the starting point is "preconfigured public key", I see no reason why not to use IPsec or TLS as the transport to encrypt regular DNS traffic. In other words, dnscrypt does not add anything to our toolbox that we don't already have, so there is no reason to add it. Paul _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
