Re: [DNSOP] my dnse vision

Francis Dupont <Francis.Dupont@fdupont.fr> Wed, 05 March 2014 13:27 UTC

Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 378091A0072 for <dnsop@ietfa.amsl.com>; Wed, 5 Mar 2014 05:27:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.099
X-Spam-Level:
X-Spam-Status: No, score=-4.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, HELO_EQ_FR=0.35, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HEd2W2OneAmC for <dnsop@ietfa.amsl.com>; Wed, 5 Mar 2014 05:27:54 -0800 (PST)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) by ietfa.amsl.com (Postfix) with ESMTP id 8A77D1A0041 for <dnsop@ietf.org>; Wed, 5 Mar 2014 05:27:54 -0800 (PST)
Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.14.3/8.14.3) with ESMTP id s25DRniD078152; Wed, 5 Mar 2014 14:27:50 +0100 (CET) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201403051327.s25DRniD078152@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: "Hosnieh Rafiee" <ietf@rozanak.com>
In-reply-to: Your message of Wed, 05 Mar 2014 12:20:33 +0100. <00de01cf3864$ec8f67e0$c5ae37a0$@rozanak.com>
Date: Wed, 05 Mar 2014 14:27:49 +0100
Sender: Francis.Dupont@fdupont.fr
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/v50AwVxG54nYrx4PU15bgm_gte8
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] my dnse vision
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 13:27:59 -0000

 In your previous mail you wrote:

>  > Or with other words you don't need confidentiality with 8.8.8.8
>  
>  Why don't we need confidentiality with open resolvers like google? 

=> because the goal is not confidentiality at the level a Microsoft
environment needs (because Microsoft adopted and extended DNS
with far stronger security requirement) but to make 3 letter
agencies (4 letters in France) the global surveillance more expensive.
And I don't trust Google for this (nor to pay its taxes :-).

>  One might not like that anybody on his/her network knows what he is
>  browsing. This is a part of privacy.

=> IMHO this is more the second problem. Note I consider too you
want your "own" DNSSEC validating resolver too.

>  >  3- the solution MUST work without prior arrangements
>  
>  Probably you need a miracle. Because with no arrangement, I do not think it
>  is possible.

=> Michael Richardson's opportunistic encryption shows it is possible.
BTW what we want is really opportunistic encryption as defined in
Wikipedia (so don't object there are at least 3 OE at the IETF :-).

>  If you use a weak approach, IMHO, it is better to forget encryption since
>  you do not know how powerful an attacker can be and you only bother your
>  computer.

=> not my computer, my resolver. And the goal is not strict/strong
privacy which BTW is impossible because 3/4 letter agencies can
anyway ask for .com or .fr server logs. Personally I don't like the
idea of DNS encryption but because I don't want to give a reason to
ISPs to filter port 53.

Regards

Francis.Dupont@fdupont.fr