Re: [DNSOP] my dnse vision

Francis Dupont <> Wed, 05 March 2014 13:27 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 378091A0072 for <>; Wed, 5 Mar 2014 05:27:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.099
X-Spam-Status: No, score=-4.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, HELO_EQ_FR=0.35, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HEd2W2OneAmC for <>; Wed, 5 Mar 2014 05:27:54 -0800 (PST)
Received: from ( [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) by (Postfix) with ESMTP id 8A77D1A0041 for <>; Wed, 5 Mar 2014 05:27:54 -0800 (PST)
Received: from (localhost []) by (8.14.3/8.14.3) with ESMTP id s25DRniD078152; Wed, 5 Mar 2014 14:27:50 +0100 (CET) (envelope-from
Message-Id: <>
From: Francis Dupont <>
To: "Hosnieh Rafiee" <>
In-reply-to: Your message of Wed, 05 Mar 2014 12:20:33 +0100. <00de01cf3864$ec8f67e0$c5ae37a0$>
Date: Wed, 05 Mar 2014 14:27:49 +0100
Subject: Re: [DNSOP] my dnse vision
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 05 Mar 2014 13:27:59 -0000

 In your previous mail you wrote:

>  > Or with other words you don't need confidentiality with
>  Why don't we need confidentiality with open resolvers like google? 

=> because the goal is not confidentiality at the level a Microsoft
environment needs (because Microsoft adopted and extended DNS
with far stronger security requirement) but to make 3 letter
agencies (4 letters in France) the global surveillance more expensive.
And I don't trust Google for this (nor to pay its taxes :-).

>  One might not like that anybody on his/her network knows what he is
>  browsing. This is a part of privacy.

=> IMHO this is more the second problem. Note I consider too you
want your "own" DNSSEC validating resolver too.

>  >  3- the solution MUST work without prior arrangements
>  Probably you need a miracle. Because with no arrangement, I do not think it
>  is possible.

=> Michael Richardson's opportunistic encryption shows it is possible.
BTW what we want is really opportunistic encryption as defined in
Wikipedia (so don't object there are at least 3 OE at the IETF :-).

>  If you use a weak approach, IMHO, it is better to forget encryption since
>  you do not know how powerful an attacker can be and you only bother your
>  computer.

=> not my computer, my resolver. And the goal is not strict/strong
privacy which BTW is impossible because 3/4 letter agencies can
anyway ask for .com or .fr server logs. Personally I don't like the
idea of DNS encryption but because I don't want to give a reason to
ISPs to filter port 53.