On Fri, 03 Jun 2016 10:26:50 -0700, "Christian Huitema" wrote: >On Thursday, June 2, 2016 3:50 PM, Paul Wouters wrote: >> >> On Thu, 2 Jun 2016, Hugo Maxwell Connery wrote: >> >> > so, lets get 8.8.8.8 running TLS DNS as a push. >> > >> > Hang on, they are a sruveillence/advertising business! No problem, it >> > is just they who can surveill. >> >> It still makes sense to reduce the number of people that can read your DNS >> requests, just like it makes sense to use https to google.com. > >Yes. And we have an interesting issue with the size of the service. > >... > >So, yes, we do have a problem. Either small and cuddly and easy to track. Or >big and robust and a target for hacks and threats. That's better than >nothing in the short term, but we should not stop there.
Those extremes pose the challenges you describe. Those same challenges arise with privacy of other user behavior, such as e-mail origination or destination. An important conclusion is your "we should not stop there". DNS-over-TLS is a PART of a solution, it is not a "magic privacy bit" that, when flipped, creates perfect DNS privacy. I think RFC-7858 is an important step, there will be other steps for people who wish to be robust to greater threats. The world of private e-mail has a number of well known techniques. DPRIVE is already considering considering padding. Other well approaches are striping queries across multiple servers, and adding "chaff" queries. (I'm not sure that those approaches require standardization---they could be done by any interested client.) Over time, individuals will pick the level of protection they think is appropriate. But the existence of some remaining attacks should not discourage progress. For example, I think a recently published attack threatened to break RSA keys using acoustic emissions from laptop CPUs. Personally, that threat is not my top current worry :-) -John Heidemann _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
