I'm giving a talk on Weds at #ripe76 on our survey re: interest and concerns about DNS privacy. Want to make sure this isn't like DNSSEC all over again - if we build it, will operators deploy it? Or are we adding complexity that most operators would rather not have?
-
-
Replying to @ISCdotORG @jpmens
Certificate management is still hard, and will fail the same way as DNSSEC for the same reasons. qname minimisation breaks stuff and is a solution looking for a problem. The “DNS privacy” appellation is mostly a lie as long as resolvers can, and do see and log everything.
5 replies 1 retweet 3 likes -
What stuff does QNM break?
1 reply 0 retweets 0 likes -
It doesn’t exactly break anything but since existing implementations didn’t expect this, some of them don’t respond appropriately. I have heard that AWS is one of these, for example. It’s more like this exposes some latent incompatibility.
1 reply 0 retweets 0 likes
And Akamai. It’s an excellent thing, but compatibility issues may be a showstopper, depending on how much time you can spend on support. If you just want to run an install-and-forget resolver that users don’t complain about, it’s still a bit too early to enable it universally.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.