On Nov 27, 2013, at 7:36 AM, Stephane Bortzmeyer <bortzme...@nic.fr> wrote:
> On Wed, Nov 27, 2013 at 07:29:05AM -0800, > Paul Hoffman <paul.hoff...@vpnc.org> wrote > a message of 29 lines which said: > >> The only possible outcome of people agreeing that there should be >> more privacy for DNS queries and responses will be protocol changes. > > I disagree. If you read the version -00, you will see that the change > proposed in section 5.2.2 is *not* a change in protocol but an > unilateral action by the resolvers. Ummm, yes, but your message (and the Introduction) made it sound like the emphasis of the draft is on listing the privacy implications, and not the suggested changes to deal with them. Choose a story and stick to it. :-) > Other changes may also be seen as unilateral action not requiring a > protocol change (sending gratuitous queries to defeat traffic > analysis, for instance). We haven't gotten into commenting on the stuff in section 5. When we do, I'll point out the futility of gratuitous queries. >> Further, the vast majority of DNS queries are made by applications, >> not directly by people. > > I do not see your point. When I click on http://www.playboy.com/, the > request may be done by an application but it has certainly a > relationship with a person, the user. "has a relationship" is fairly weak. Rendering the web page returned by a browser query can easily generate 50 DNS queries to places the user has never heard of. Your document needs to cover the privacy implications of DNS requests that were done without intention. Further, the world is more than browsers. The fact that an app I am using is doing a lookup for imap.badplace.org is also important. >> My first pass skim results in "this is a very solid starting point; >> it needs a bit more meat; > > Can you explain in what parts? I'm willing to write more but I don't > want to increase the size of the draft just to make it more impressive > :-) Much more emphasis on section 3 ("Actual attacks") would be useful to readers who don't really think in terms of user -> application -> local resolver -> (offsite recursive) -> authoritative(s). --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
