Re: [DNSOP] my dnse vision

[Olafur Gudmundsson <ogud@ogud.com>]

On Mar 5, 2014, at 2:42 PM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:

> On Wed, Mar 05, 2014 at 12:51:52PM +0000,
> Olafur Gudmundsson <ogud@ogud.com> wrote 
> a message of 41 lines which said:
> 
>> I NEED confidence that I'm talking to the real 8.8.8.8 if the only
>> way to get that is encryption then I support it.
> 
> The goal of the DNSE BoF was privacy, not authentication. For
> authentication, we have DNSSEC :-) For the case where the validating
> resolver is far away and we need to secure the last mile against
> AD-bit tampering, well... no problem statement published, no I-D and
> no BoF yet.

Fair enough 
> 
>> I would prefer that before we start talking about encryption is we
>> agree on label stripping by recursive resolvers as that minimizes
>> the leak of information to root/tld servers.
> 
> Why before? Encryption and QNAME minimization are both great things
> and should be done but they solve different privacy problems:
> 
> * surveillance by a third-party sniffing the wire (encryption)
> * surveillance by the name servers' operators (QNAME minimization)
> 
> 

You and I can in theory write up an BCP candidate on this QNAME minimization, 
topic in one day and have it published in about 3 months and we are done. 
Any recursive resolver can make this change in their next version as an option and we can 
evaluate the impact, and then recommend when to turn on "label stripping" i.e. I'm not sure
if reverse tree should have any QNAME minimization. 

Encryption will take much longer to gain traction, in my mind I do not like that 
for example tad servers can see what is asked for in a sub-domain as xTLD are
most natural collection points thus we need to make the data that they see have as little value
as possible
To my encrypting full QNAME to everyone is non-sensical. 


	Olafur