In your previous mail you wrote: > > Or with other words you don't need confidentiality with 8.8.8.8 > > Why don't we need confidentiality with open resolvers like google?
=> because the goal is not confidentiality at the level a Microsoft environment needs (because Microsoft adopted and extended DNS with far stronger security requirement) but to make 3 letter agencies (4 letters in France) the global surveillance more expensive. And I don't trust Google for this (nor to pay its taxes :-). > One might not like that anybody on his/her network knows what he is > browsing. This is a part of privacy. => IMHO this is more the second problem. Note I consider too you want your "own" DNSSEC validating resolver too. > > 3- the solution MUST work without prior arrangements > > Probably you need a miracle. Because with no arrangement, I do not think it > is possible. => Michael Richardson's opportunistic encryption shows it is possible. BTW what we want is really opportunistic encryption as defined in Wikipedia (so don't object there are at least 3 OE at the IETF :-). > If you use a weak approach, IMHO, it is better to forget encryption since > you do not know how powerful an attacker can be and you only bother your > computer. => not my computer, my resolver. And the goal is not strict/strong privacy which BTW is impossible because 3/4 letter agencies can anyway ask for .com or .fr server logs. Personally I don't like the idea of DNS encryption but because I don't want to give a reason to ISPs to filter port 53. Regards francis.dup...@fdupont.fr _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop