Francis,
On 3/5/14 11:07 AM, "Francis Dupont" <francis.dup...@fdupont.fr> wrote: >>From discussions with Stephane Bortzmeyer and Mark Andrews... > > First I come back to the fact there are two different problems > (aka divide and conquer): > * stubs <-> resolver > * resolver <-> auth servers Agreed. > I consider the first one to be already solved, cf. the Microsoft > deployed solution which puts clients, local networks, the resolver > (also the Microsoft Domain Server :-), in the same area and uses > IPsec to protect it. Which may be great if you are: 1) in an environment using Microsoft solutions; and 2) connected to those networks. Not so great if you are NOT in a Microsoft environment or are mobile or on other networks (and yes, I realize you could VPN back into the corporate network). >You can do other ways but IMHO we can assume >you don't need confidentiality with far or untrusted resolvers. >Or with other words you don't need confidentiality with 8.8.8.8 And I will disagree with that assumption. I personally want confidentiality between my stub resolver and whatever recursive resolvers I may choose to use, including 8.8.8.8 (and its IPv6 equivalent). I'd like to remove that connection as a place where an attacker can monitor / observe / log my DNS queries. Regards, Dan -- Dan York Senior Content Strategist, Internet Society y...@isoc.org <mailto:y...@isoc.org> +1-802-735-1624 Jabber: y...@jabber.isoc.org <mailto:y...@jabber.isoc.org> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop