This is a discussion on Re: dns & confidentiality? - DNS ; Paul Vixie wrote: > red wrote: > > >>For NL it was b) and only b), and it was also recognised that, >>indeed, it is a whois and not a DNS problem. > > > (where "b)" was non-enumeration.) > ...
Paul Vixie wrote:
> red wrote:
>>For NL it was b) and only b), and it was also recognised that,
>>indeed, it is a whois and not a DNS problem.
> (where "b)" was non-enumeration.)
> non-enumeration as a baseline for what confidentiality means is instructive.
> the folks i've spoken to who care about this characterize it as "if you know
> the domain name exists you should be able to retrieve data about it, else not."
> and when faced with the "rrtype" question, they universally amend it to say
> "and if you know what rrtypes exist you should be able to ask for rdata, else
> so, confidentiality doesn't have to mean "if you know something that only a
> friend or customer or supplier would normally know then you can retrieve
> data about this domain, else not".
> but it probably would mean "if you're not the initiator but you happen to be
> able to monitor the transaction in flight, you should not learn any names or
> data". this is the second tricky part after non-enumerability, and seems to
> imply a full DH preauth between each initiator/responder pair. yow!
Hmmm, not necessarily DH. And, indeed, DH would not prevent active attacks.
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.