Re: [lac-discuss-en] [WHOIS-WG] DNS Privacy Problem Statement - IETF Informational



Carlton

the IETF stuff on this is quite interesting .. a lot of this is "known", but as 
you mentioned, not exactly "obvious" ..

M


--
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Domains
http://www.blacknight.co/
http://blog.blacknight.com/
http://www.technology.ie
Intl. +353 (0) 59  9183072
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 1 4811 763
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
________________________________
From: whois-wg-bounces@xxxxxxxxxxxxxxxxxxxxxxx 
[whois-wg-bounces@xxxxxxxxxxxxxxxxxxxxxxx] on behalf of Carlton Samuels 
[carlton.samuels@xxxxxxxxx]
Sent: 12 November 2013 21:07
To: ICANN WHOIS Expert Workin Group; lac-discuss-en@xxxxxxxxxxxxxxxxxxxxxxx; 
<whois-wg@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: [WHOIS-WG] DNS Privacy Problem Statement - IETF Informational

Seems we have a greatly enlarged problem domain than that we're on about with 
RDS.

Here are a few things that caught my eye in the DNS Privacy Problem Statement 
by S. Bortzmeyer (AFNIC maeven] to the IETF Network Working Group:

1. Apropos, DNSSEC and confidentiality of the DNS messaging:

"(DNSSEC, specified in RFC4033] explicitely excludes confidentiality from its 
goals.) So, if an initiator starts a HTTPS communication with a recipient, 
while the HTTP traffic will be encrypted, the DNS exchange prior to it won’t 
be."

2. Apropos, surveillance:
"The best place, from an eavesdropper’s point of view, is clearly between the 
stub resolvers and the resolvers, because you are not  limited by DNS caching."

Per #1, I simply didn't realize this was the case!

Per #2, I long figured that were I in the surveillance business, parking on the 
highway joining the requestor and nameserver with my ears open is the optimal 
point to get all the metadata one could ever hope.  As the writer notes, they 
are "not in the communication path but are enablers". Individual targeting 
-meaning direct access - can be arranged by one or other means from the info 
presented by metadata.

Thanks to Michele for sharing.  See it all here:
http://tools.ietf.org/pdf/draft-bortzmeyer-perpass-dns-privacy-00.pdf

- Carlton

===============
Carlton A Samuels
Mobile: 876-818-1799
Strategy, Planning, Governance, Assessment & Turnaround
=============================
_______________________________________________