Re: [dns-privacy] [SPAM] Re: New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt

[Andrew Sullivan <ajs@anvilwalrusden.com>]

On Wed, Aug 20, 2014 at 10:17:57PM +0200, Hosnieh Rafiee wrote:
> help user's privacy if this is for item 3. Before going further, I start
       ^^^^^^^^^^^^^^

No, you're missing the point.  It's not _a user_.  It's _all users_.
That is, the point is not to protect this or that particular user or
this or that particular transaction.  It is to prevent wide-scale
harvesting of _all traffic_, in which any particular user's data might
be.  If someone is attempting to develop an overall picture of both
what is happening on the Internet, and what a particular user is
doing, and to correlate the one with the other, then you need all the
traffic, and by that you can both identify new people "of interest"
and identify overall patterns.

But if people encrypt this data, then you either have to subvert the
recursive server (which you can do with court orders, of course, but
then your plan is exposed), or else you have to break the encryption.
Even if some of the traffic leaks past the encryption layer, the
attack _only_ works at large scale.

You don't seem to be taking that part of the argument seriously.
Until you concede it, there's nothing more to say.

As an aside,

> reason: there is almost no *actual* valid IPv4 addresses ( all nodes are
> behind a NAT) and often DNS servers do not support IPv6 addresses. Do you
> agree?

I agree with neither of those premises.  Public servers are not behind
NAT (and even if they are, knowing the public service address is
enough).  Similarly with end users.  And there are plenty of DNS
servers on v6.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com