Re: [dns-privacy] [SPAM] Re: New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt

[Hosnieh Rafiee <hosnieh.rafiee@huawei.com>]

> 
> > I provided several reason that the observer doesn't exist.
> 
> No, you provided several reasons why you think this decision is an
> unreasonable one.  Prior to the evidence from a couple years ago that
> national governments were doing wide-spread vacuuming up of everything
> they could by perfoming passive attack through the means of tapping
> lines and so on, the position you are taking was entirely reasonable.
> But in the face of that evidence, some people have decided that, even
> if they can't protect themselves reliably all the time, they get enough
> marginal benefit from privacy to do it whenever they can, even if it's
> not perfect and not terribly hard to subvert.
> 
> In other words, you are basically arguing that the benefit that will
> accrue from this technique is not enough given the costs.  Others
> disagree with you.  Your argument only works if we accept your premise
> that the benefit is not worth the cost; if we evaluate the benefit
> differently, then the cost might be acceptable.

True. Because the people who you are scaring from to eavesdrop the communication already know how you want to process this...

To be clear... IF this approach wasn't public and not known, then you might benefit from it but when something is public and known, what you would do as an attacker? Do you still wait in a hope of receiving plain text information or easily change your role to a resolver and receive information you want as it is not hard to detect.

So in long term there is no benefit to use encryption without authentication in resolver scenario.  


> > What I tried to explain here is that an observer role doesn't make
> sense in resolver scenario.
> 
> Except that we have an existence proof that it does.

It really doesn't... at least in this scenario. Why? Because this approach would be standard and well known... So, if anyone (or the whom you're talking about) before played the observer role now they would change their role because they are still interested to receive your data and your node is unable to detect this interceptions since whatever resolver you use is valid by your node either a fake resolver or a real resolver.


> > DNSSEC just came to this game when some folks say that DNSSEC can
> protect this and they only need encryption.
> 
> If you had strong authentication of the resolver, then this would be
> true.  Since TSIG (which I expect you remember) or SIG(0) can solve the
> authentication part, then in fact the only thing you would need _is_
> encryption, and then you could rely on the DNSSEC piece as well.
> 

We already know the problem with those approaches and as you said brining DNSSEC to this discussion doesn't make sense..

Best,
Hosnieh