Re: [DNSOP] my dnse vision
Jelte Jansen <jelte.jansen@sidn.nl> Thu, 06 March 2014 15:36 UTC
Return-Path: <Jelte.Jansen@sidn.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBD181A00BC for <dnsop@ietfa.amsl.com>; Thu, 6 Mar 2014 07:36:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.453
X-Spam-Level:
X-Spam-Status: No, score=-2.453 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_I_LETTER=-2, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ifW9HCwgaciU for <dnsop@ietfa.amsl.com>; Thu, 6 Mar 2014 07:36:02 -0800 (PST)
Received: from arn2-kamx.sidn.nl (kamx.sidn.nl [IPv6:2a00:d78:0:147:94:198:152:69]) by ietfa.amsl.com (Postfix) with ESMTP id 4A2FD1A0051 for <dnsop@ietf.org>; Thu, 6 Mar 2014 07:35:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=sidn.nl; s=sidn_nl; c=relaxed/relaxed; h=message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding:x-originating-ip; bh=o316GqYmaGJYXY8o6ySwu7kgoYfiyZD44P/E1aNbdHE=; b=plhimsIgprkPMDUeomUK03wV5VfkQm97dVlzWGr1RmAYdnPkTkvp5vmTc3x8DJ1qO08wQfvb+Zxlbfe3UXN5U6p9NXuIORW9NiL2xn/FlS1TXt3FMBfl1EwuWfuTSmMukXM3AOTHSx0RdX3t6zCPs6a/VFIIZZHE1t+tzrbqC1w=
Received: from kahubcasn02.SIDN.local ([192.168.2.74]) by arn2-kamx.sidn.nl with ESMTP id s26FZkLx018463-s26FZkM1018463 (version=TLSv1.0 cipher=AES128-SHA bits=128 verify=CAFAIL); Thu, 6 Mar 2014 16:35:46 +0100
Received: from [94.198.152.220] (94.198.152.220) by kahubcasn02.SIDN.local (192.168.2.77) with Microsoft SMTP Server (TLS) id 14.3.174.1; Thu, 6 Mar 2014 16:35:45 +0100
Message-ID: <531895CF.5000108@sidn.nl>
Date: Thu, 06 Mar 2014 15:35:43 +0000
From: Jelte Jansen <jelte.jansen@sidn.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
References: <201403051327.s25DRniD078152@givry.fdupont.fr> <53173BA9.7050007@sidn.nl> <20140306143951.GB5102@laperouse.bortzmeyer.org>
In-Reply-To: <20140306143951.GB5102@laperouse.bortzmeyer.org>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [94.198.152.220]
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/UTIGsvT7ZpNC2jCzfWDKjxVSYSs
Cc: dnsop@ietf.org, Hosnieh Rafiee <ietf@rozanak.com>
Subject: Re: [DNSOP] my dnse vision
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 15:36:05 -0000
On 03/06/2014 02:39 PM, Stephane Bortzmeyer wrote: >> all the more reasons for ISPs to try and force you to use theirs >> (perhaps even after some friendly coercion from the nearest >> three-letter agency (four in the netherlands as well)). In which >> case we'd need even better channel encryption, to the point where >> you can't tell it's DNS, so it can be tunneled out of the network > > If we follow this line of reasoning, why do we deploy more security, > then? With this argument, we would never have deployed HTTPS > either. (Or SSH: most hotspots and many ISP block SSH.) > And lo and behold, you do see forced breakage of SSL, and 'friendly' MITM attacks forced on people. But I'm not saying we shouldn't do anything. I'm saying that I'm worried that if we blindly splat some channel encryption on, we may actually lower security for a number of people, in which case we need to go even further and hide the fact that DNS data is being sent in the first place. Now this may very well have been solved (VPN/SSL tunneling, one of the existing specific-to-dns channel solutions), but in that case we should probably be explicit about it. But really I was working up to my next message, that was a +1 on splitting up the various problems, and fix (or not fix) those separately. That might even include not trusting your resolver in the first place. > We promised in Vancouver to seriously strengthen the Internet against > surveillance. Was it an empty promise, politician-style? > I think we are all trying to do exactly that. Or, to be a bit more precise and/or cynical: Of course it was, but we are trying to do it anyway. Jelte
- Re: [DNSOP] my dnse vision Tim Wicinski
- Re: [DNSOP] my dnse vision Hosnieh Rafiee
- Re: [DNSOP] my dnse vision Miek Gieben
- Re: [DNSOP] my dnse vision Francis Dupont
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Dan York
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Olafur Gudmundsson
- Re: [DNSOP] my dnse vision Tim Wicinski
- Re: [DNSOP] my dnse vision Francis Dupont
- [DNSOP] my dnse vision Francis Dupont
- [DNSOP] QUIC for DNS confidentiality (Was: my dns… Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Francis Dupont
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Jelte Jansen
- Re: [DNSOP] my dnse vision Olafur Gudmundsson
- Re: [DNSOP] my dnse vision Wessels, Duane
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] QUIC for DNS confidentiality (Was: my… Tim Wicinski
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Jelte Jansen
- Re: [DNSOP] deploying security Francis Dupont
- Re: [DNSOP] my dnse vision Evan Hunt
- Re: [DNSOP] my dnse vision Hosnieh Rafiee
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Evan Hunt
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Phillip Hallam-Baker
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Phillip Hallam-Baker
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Mark Andrews