> This is explicitly prohibited rfc9460 as it would provide > linkability. See rfc9460 section 12: "Clients MUST ensure that > their DNS cache is partitioned for each local network, or flushed > on network changes, to prevent a local adversary in one network > from implanting a forged DNS record that allows them to track > users or hinder their connections after they leave that network." > > Not if the ECH record is DNSSEC signed. > > Except that no browser client does DNSSEC validation and there > is no realistic prospect of that changing. -Ekr
If a local adversary can insert a fake ECH parameter then the local adversary can also insert fake IPv4 or IPv6 addresses and relay traffic. So flushing the cache seems a good idea even without ECH. At the same time, ECH requires a trusted recursive resolver. Assuming the connection to the recursive resolver is properly secured then filling the cache after a network change should be no problem. _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
