On 03/06/2014 02:39 PM, Stephane Bortzmeyer wrote:
>> all the more reasons for ISPs to try and force you to use theirs
>> (perhaps even after some friendly coercion from the nearest
>> three-letter agency (four in the netherlands as well)). In which
>> case we'd need even better channel encryption, to the point where
>> you can't tell it's DNS, so it can be tunneled out of the network
> 
> If we follow this line of reasoning, why do we deploy more security,
> then? With this argument, we would never have deployed HTTPS
> either. (Or SSH: most hotspots and many ISP block SSH.)
> 

And lo and behold, you do see forced breakage of SSL, and 'friendly'
MITM attacks forced on people.

But I'm not saying we shouldn't do anything. I'm saying that I'm worried
that if we blindly splat some channel encryption on, we may actually
lower security for a number of people, in which case we need to go even
further and hide the fact that DNS data is being sent in the first
place. Now this may very well have been solved (VPN/SSL tunneling, one
of the existing specific-to-dns channel solutions), but in that case we
should probably be explicit about it.

But really I was working up to my next message, that was a +1 on
splitting up the various problems, and fix (or not fix) those
separately. That might even include not trusting your resolver in the
first place.

> We promised in Vancouver to seriously strengthen the Internet against
> surveillance. Was it an empty promise, politician-style?
>

I think we are all trying to do exactly that.

Or, to be a bit more precise and/or cynical: Of course it was, but we
are trying to do it anyway.

Jelte

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to