Phillip Hallam-Baker <hal...@gmail.com> wrote: > On Mon, Mar 10, 2014 at 1:44 PM, Tony Finch <d...@dotat.at> wrote: > > > > > Resolver has no session key on file so it sends the request in plaintext. > > > > This leakage is bad expecially for recursors with few users and / or > > queries for infrequently visited domains. > > If a Russian citizen is visiting Putler.com and the authoritative for that > zone only has that entry and nothing else, then traffic analysis is going > to give away the request subject.
That does not imply we should make it easy for attackers in other situations. > > > It can however be alerted to support for the security protocol in the > > > DNSSEC information for the zone. > > > > This is a bad idea because it makes partial deployment difficult - e.g. > > staged roll-out of encryption. DNSSEC information is per-zone but > > encryption has to be per-server. > > I can't see the point of a partial rollout of encryption at an > authoritative. It is a natural consequence of cautious deployment. Also, a zone has multiple authoritative servers, so the partial roll-out I was talking about is partial per-zone not partial per-server. Which is why the encryption flag has to be per-server not per-zone as you suggested. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Hebrides: South or southwest 5 to 7, increasing gale 8 for a time in northwest. Moderate or rough, becoming very rough in northwest. Mainly fair. Moderate or good, occasionally poor later. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
