I'm giving a talk on Weds at #ripe76 on our survey re: interest and concerns about DNS privacy. Want to make sure this isn't like DNSSEC all over again - if we build it, will operators deploy it? Or are we adding complexity that most operators would rather not have?
-
-
Replying to @ISCdotORG @jpmens
Certificate management is still hard, and will fail the same way as DNSSEC for the same reasons. qname minimisation breaks stuff and is a solution looking for a problem. The “DNS privacy” appellation is mostly a lie as long as resolvers can, and do see and log everything.
5 replies 1 retweet 3 likes -
The only thing that kinda make sense is DoH, that can leverage existing HTTP software. Even though there is no privacy improvement here contrary to popular belief, just authentication to mitigate tampering. Like what DNSSEC has been trying to do in vain.
3 replies 0 retweets 0 likes -
“DNS Privacy” tools give *more* information to resolvers. TLS tickets, and long-lived TCP connections now allow them to fingerprint individual devices even behind Tor/VPN/NAT/CGNAT.
2 replies 0 retweets 2 likes -
Not saying that these things are bad. Any security improvement is a good thing. But they don’t provide any privacy. Just authentication. Maybe once SNI encryption is a thing, we can talk. Right now, it’s wankery/marketing/ways to get funding.
2 replies 0 retweets 0 likes -
Meanwhile, domain fronting is being killed by major operators. Including companies chanting “DNS privacy”.
1 reply 0 retweets 0 likes -
Frank, Thanks for your comments. I don’t understand this last comment. Care to dm me and explain further?
1 reply 0 retweets 0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.