This is a discussion on Re: DNS Encryption - DNS ; > I've been trying to get feed back on DNS encryption for months now and > nearly all the comments have related to spelling or grammar, some one > suggested writing an Internet Draft on it and I'd be more ...
> I've been trying to get feed back on DNS encryption for months now and
> nearly all the comments have related to spelling or grammar, some one
> suggested writing an Internet Draft on it and I'd be more likely to get
> feed back so I've done just that. Well attempted to anyway, I've never
> written or submitted anything before so this is all new to me, but I'd
> very much appreciate any and all feed back on the technical merits of my
> proposal as I don't know if this is the best way to do it or not and no
> one else seems to be able to suggest otherwise.
The document lacks a clear threat model and problem statement. As a
result, is not possible to check whether the proposed protocol actually
Sections 2 and 3 do not really describe the on-the-wire protocol.
CERT Glue records (section 4) won't work without changing all recursors
(and probably authoritative servers, too). This means that this
proposal has near zero chance of deployment.
As far as I can see, the proposed protocol, if worked out in full,
solves two problems (data leaks across the hierarchy and eavesdropping
on the wire) but doesn't do anything about enumeration and information
leaks from caching resolvers.
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.