Some comments on the qname-minimisation draft: In general, while I like the idea of qname minimization, much of this draft reads like a series of complaints about bad DNS operational practices instead of providing a detailed explanation of how to minimize the query names and what that might imply.
- Section 1: While the pointer to the dns-privacy draft is helpful as a reference, I figure the introduction/background section should provide an introduction to the specific problem the draft is attempting to address and why it is a problem. - Section 2: "It can be noted that minimising the amount of data sent also partially addresses the case of a wire sniffer, not just the case of privacy invasion by the servers." This probably needs a bit more explanation. If you're sniffing the wire, you'll see the final query for the full QNAME/QCLASS/QTYPE and all the intervening NS queries can simply be ignored, no? Or is the sniffer on a different wire? "Sending the full qname to the authoritative name server is a tradition, not a protocol requirment." I'd actually call it an optimization, not a tradition. - Section 3: "On the other hand, it will decrease their legal responsability, in many cases." I'm not sure it's worth raising this as "legal responsibility" in an engineering document sounds like a 'rathole of unusual size' to me. 'As an example of today, look at www.ratp.fr (not ratp.fr), which is delegated to two name servers that reply properly to "A www.ratp.fr" queries but send REFUSED to queries "NS www.ratp.fr".' I suspect this particular brokenness will be fixed at some point in the future, thus I doubt this example will be useful. 'Another way to deal with such broken name servers would be to try with A requests (A being choosen because it is the most common and hence the least revealing qtype).' I'm unclear as to how the QTYPE being requested provides significantly more information leakage -- isn't the real information leakage the actual QNAME? 'For such a name, a cold resolver will, depending how qname minimisation is implemented, send more queries.' It might be useful to go discuss ways in which qnames can be implemented. - Section 4: Might rename this section to "Performance Implication" and, in addition to discussing the negative caching stuff, provide some examples of the increase in round trips necessary to deal with probing to find zone cuts. Hope this helps. Regards, -drc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
