In message <ca40d404-c43b-4bf4-8f66-e6dd75528...@hopcount.ca>, "Joe Abley" writ es: > > > On 1 Sep 2015, at 11:45, Jacob Appelbaum wrote: > > > In my view and the DNS has a critical flaw: it does not provide query > > privacy. > > You're on the wrong list. The people working on DNS privacy are over at > DPRIVE. For the problem statement, see RFC 7626, recently published.
DPRIVE are looking at stub to recursive resolver privacy. This is recursive resolver to root server privacy which is off charter for DPRIVE. Now there are two ways to solve this as the root is signed. 1. Recommend *every* recursive server holds a copy of the root zone. This has implications for ICANN and how many TLD's they can sell as the root zone would need to remain relatively small. This also helps with other leakage to the root zone. 2. Insecurely delegate .onion and recommend that every resolver synthesis a NXDOMAIN response. This also has implication for ICANN as they don't have procedures to do this sort of delegation. 3. Hope that QNAME minimisation gets deployed to all stub resolvers. 2 and 3 both leak that a onion name is being looked up but not what that name is. > Joe > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
