"Joe Abley" <jab...@hopcount.ca> writes:

>   http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02
> There are privacy concerns, here. But we might posit that you've
> already in the business of trading privacy for convenience if you're
> using a public resolver.

Personally, I've always thought the privacy concerns of
draft-vandergaast (not of using public recursive servers) are

The entity running the recursive nameserver has knowledge of the exact
address (not just the subnet) that you're sending the query from, by
inspection of the packet.

The entity running the authoritative nameserver does not...  but
unless you're using DNS for some kind of off-label purpose (
http://code.kryo.se/iodine/ comes immediately to mind), the next thing
you'll be doing once you have the reply is opening some kind of
connection to the address returned...  at which point the target
entity will be able to tell the exact address that you're coming from.
This assessment makes the assumption that the folks running the
authoritative DNS servers are either the target entity or its agent.
If that's an invalid assumption, one might say you have bigger

If someone could explain a privacy concern here that doesn't involve
dipping into my meager tinfoil supply (I'm low and not going to the
grocery until tomorrow), that would be swell.


Reply via email to