I'm giving a talk on Weds at #ripe76 on our survey re: interest and concerns about DNS privacy. Want to make sure this isn't like DNSSEC all over again - if we build it, will operators deploy it? Or are we adding complexity that most operators would rather not have?
-
-
The only thing that kinda make sense is DoH, that can leverage existing HTTP software. Even though there is no privacy improvement here contrary to popular belief, just authentication to mitigate tampering. Like what DNSSEC has been trying to do in vain.
-
“DNS Privacy” tools give *more* information to resolvers. TLS tickets, and long-lived TCP connections now allow them to fingerprint individual devices even behind Tor/VPN/NAT/CGNAT.
- 4 more replies
New conversation -
-
-
What stuff does QNM break?
-
It doesn’t exactly break anything but since existing implementations didn’t expect this, some of them don’t respond appropriately. I have heard that AWS is one of these, for example. It’s more like this exposes some latent incompatibility.
- 1 more reply
New conversation -
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
If you are really interested in the the problem solved by QNAME min, I suggest to re-read RFC 7626.
-
Remember that researchers spied on AlphaBank/Trump by tapping root servers because QNAME minimization wasn't being used.
- 2 more replies
New conversation -
-
-
Like every security issue, DNS privacy is complicated, with many threats. Some solution address a part of the threats, it does not mean they are useless. (Actually, there is never a solution addressing all the threats.)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.