Re: [perpass] DNS confidentiality

Stephane Bortzmeyer <bortzmeyer@nic.fr> Wed, 25 September 2013 12:16 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0E9021F92B7 for <perpass@ietfa.amsl.com>; Wed, 25 Sep 2013 05:16:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.249
X-Spam-Level:
X-Spam-Status: No, score=-102.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fcZiEmMMo-Ip for <perpass@ietfa.amsl.com>; Wed, 25 Sep 2013 05:16:24 -0700 (PDT)
Received: from mx4.nic.fr (mx4.nic.fr [192.134.4.12]) by ietfa.amsl.com (Postfix) with ESMTP id 9BE5B21F923D for <perpass@ietf.org>; Wed, 25 Sep 2013 05:16:24 -0700 (PDT)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id A5F3A280627; Wed, 25 Sep 2013 14:15:51 +0200 (CEST)
Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx4.nic.fr (Postfix) with ESMTP id A110D28060F; Wed, 25 Sep 2013 14:15:51 +0200 (CEST)
Received: from bortzmeyer.nic.fr (batilda.nic.fr [IPv6:2001:67c:1348:8::7:113]) by relay2.nic.fr (Postfix) with ESMTP id 9E7C8B38055; Wed, 25 Sep 2013 14:15:21 +0200 (CEST)
Date: Wed, 25 Sep 2013 14:15:21 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Andy Wilson <andrewgwilson@gmail.com>
Message-ID: <20130925121521.GA31952@nic.fr>
References: <524150C7.2020602@cs.tcd.ie> <CAL2p+8S_GCDQC3GtxdFZ+T-hXxo8FHUfFumKN425-2kHs=Ts=w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAL2p+8S_GCDQC3GtxdFZ+T-hXxo8FHUfFumKN425-2kHs=Ts=w@mail.gmail.com>
X-Operating-System: Debian GNU/Linux 7.1
X-Kernel: Linux 3.2.0-4-686-pae i686
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: perpass <perpass@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 12:16:29 -0000

On Tue, Sep 24, 2013 at 11:31:10PM +1200,
 Andy Wilson <andrewgwilson@gmail.com> wrote 
 a message of 104 lines which said:

> Have you seen DNSCurve? http://dnscurve.org/

Channel-security solutions like the non-standard and poorly documented
DNScurve provide confidentiality against a passive third-party
observer. Not against the operators of the authoritative name servers
who see a lot of traffic and can share it with others. (For instance,
several of the root name servers are managed by the US army or a US
government agency.)

Not to mention the resolvers of the ISP or the big open resolvers like
OpenDNS or Google Public DNS, both based in PRISMland. (They see even
more since the caching does not "protect" against them.)

To summary, modify DNS to ensure confidentiality is highly
non-trivial.