On Thu, Mar 06, 2014 at 06:39:07PM +0100, Stephane Bortzmeyer wrote: > It's a very valid and interesting point but it has not a lot of > relationship with the privacy issues.
I don't entirely agree: if a MITM can spoof a trusted remote resolver, then QNAME minimization won't help you. DNSSEC ensures that you get legitimate answers; it doesn't ensure that the server on the other end belongs to someone you trust to keep your queries confidential. > I suggest that it deserves a > separate effort, which could start with a nice I-D describing the > problem statement/analysis (and then to proposed solutions). I agree it would be appropriate to treat stub-to-resolver channel security as a separate problem space. (I will note in passing that I'm intrigued by the CGA-TSIG draft being circulated by Mr. Raffieh.) > Unless we want to solve all the security problems of the DNS at once, > with the same solution? Oh, I didn't realize it was an option. Yes, that sounds excellent, please do that. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
