On 9/3/15, John R Levine <jo...@taugh.com> wrote: >> Until the invention of quantum computers, we can protect data from >> being instantly available to most of these groups most of the time. > > Aw, come on. There are root servers in China. >
I'm much more worried about the root servers run by people who also deploy drones for assassination, thanks. Though in the end, I'm concerned about those servers and all the network links too. With query minimization and link level encryption, we'll still have to deal with operators that will behave badly. That is yet another problem to tackle and important! DNSSEC solves many of the bad behaving operator issues but not issues of confidentiality. I guess there are some things we can to show that a root server is misusing otherwise unpublished information with some kind of honeytoken. With query privacy, link level encryption, query minimization and so on, I think there would be a massive step forward in the security of the DNS. Right now - we don't need to be seriously concerned with where a root server is in terms of the violation of privacy - almost all of the networks of the world are monitored by *someone* at the moment. >> My outline is as follows: everyone and every system should have >> security and privacy in the form of forward-secret authenticated >> cryptography, all of the time, enabled by default. > > That's nice, but this is the IETF. We can't even get people to stop > running BIND 4. Not with that attitude, obviously! The IETF is able to make strong privacy respecting standards that protect users and operators alike. The anti-privacy obstructionism attitude from some in the IETF is pretty frustrating. This negative attitude stalls classification of problems as well as standardization of positive changes and it causes a lot of needless infighting. Mass surveillance is a problem and what I said seems a reasonable goal. I'm open to counter proposals and the same question I asked Vixie is really for everyone or anyone at all. Even though we won't achieve it overnight, once we figure out what to do - it is possible to solve it for anyone willing to deploy those solutions. We might even get those people running BIND (4!?) to upgrade! All the best, Jacob _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
