Hello, (a reaction on second paragraph of 4. Authenticated Operation, only)
That paragraph states that the ENCRYPT RR can be signed by DNSSEC. However, I don't think is possible ! A signature is the hash of DNS-data-sent, encrypted with the private key. But in this case : private key of who ? !!! not the root-zone, I hope. ? from the domain one is about to sent a query for (but the whole idea is to hide that kind of information !) But since this encryption is really between a DNS client and the DNS server it is about to query, it should be the "private key of that DNS server". But that is not what DNSSEC is about. Hence, I think ENCRYPT RR's cannot be protected by DNSSEC. Kind regards, Marc On Thu, Nov 28, 2013 at 2:25 PM, W.C.A. Wijngaards <wou...@nlnetlabs.nl>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I also heard that this is the place to discuss DNS privacy. > > This draft is a protocol, and represents an (interesting) point in the > solution space. I would refer to Borzmeyer's draft and Koch's draft > for problem space analysis. > > http://tools.ietf.org/html/draft-wijngaards-dnsop-confidentialdns-00 > > It supports opportunistic encryption, i.e. try to encrypt but fallback > to insecure. This supports deployment immensely, because clean DNS > paths are uncommon. > > It supports stateless operation. It uses UDP. > > It supports encryption for stub-to-cache and cache-to-authority. > > Best regards, > Wouter > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.15 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJSl0RiAAoJEJ9vHC1+BF+NbOcP/03f76fPIp8rkKtjYdjTHbZ7 > qoMFVsIbZ6GqoB77U2w2dtVEirfqLkcBQ5gE1LzLGL/AS4aKVBg7GLAY/qv1o+BM > YIvoecRd+P+/mzZZtROJbpe3Pp3ktsL9+A4SaChpWBWPR7qCUKGh2R0YWq6hHj0h > btIOFROGnt/QH0Pho7/0N9UfNBVlc6By8BSwON2kiR9bD+oyCDGxJQ85N03p8FJo > kVIZM6PtsUHQxhX4rhQec5t/LBu1oXVq5tdVSzjiIYZAcUI9lLfv7f7o1QccAIUF > YZ/u1OvIp3l6iKNK3eLrimXRu7dFR09aqUcbYD0LNci6g4AY0awPYk2TE5OtQ1Ll > SHpil/QzKA0V4QPANfZNBV/wL5SitnQuS6fLYkKnsjSED8AUINNLqYttSo+wPEMs > ReCPI51pyuvL0E/ZkfiKRsfb8qiuFh1OkCLFgJZMVzecLcOvrVfxxf4SNe8Z8i7F > IzSNikgqSzIK/hQSEMVjk9O+f97/muQw0fCiqGbIS9hUntEwJ90/Ji20dxlz2aj7 > V7nuC4wz53VWHtIYhiDMP2P9Twbh40TmdIf9yWFZzkayryBVwH5gTuU1ZqL2sVc6 > qMolnaKQdTFnM4jAMzfYBuHyUzFTRqG1u9IXLskmBl0tDAOH0cRV4bD6oH8BZd+X > v//pHQiVWuyMbndChPrm > =PdRr > -----END PGP SIGNATURE----- > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
