On 03/06/2014 02:39 PM, Stephane Bortzmeyer wrote: >> all the more reasons for ISPs to try and force you to use theirs >> (perhaps even after some friendly coercion from the nearest >> three-letter agency (four in the netherlands as well)). In which >> case we'd need even better channel encryption, to the point where >> you can't tell it's DNS, so it can be tunneled out of the network > > If we follow this line of reasoning, why do we deploy more security, > then? With this argument, we would never have deployed HTTPS > either. (Or SSH: most hotspots and many ISP block SSH.) >
And lo and behold, you do see forced breakage of SSL, and 'friendly' MITM attacks forced on people. But I'm not saying we shouldn't do anything. I'm saying that I'm worried that if we blindly splat some channel encryption on, we may actually lower security for a number of people, in which case we need to go even further and hide the fact that DNS data is being sent in the first place. Now this may very well have been solved (VPN/SSL tunneling, one of the existing specific-to-dns channel solutions), but in that case we should probably be explicit about it. But really I was working up to my next message, that was a +1 on splitting up the various problems, and fix (or not fix) those separately. That might even include not trusting your resolver in the first place. > We promised in Vancouver to seriously strengthen the Internet against > surveillance. Was it an empty promise, politician-style? > I think we are all trying to do exactly that. Or, to be a bit more precise and/or cynical: Of course it was, but we are trying to do it anyway. Jelte _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop