Hi All, As you will probably know RFC7858 "Specification for DNS over Transport Layer Security (TLS)” was recently published as a result of work in the IETF DPRIVE working group. Reference implementations of this Standard (and associated supporting features such as those specified in RFC7766) are in progress. However, since this is a significant evolution for DNS, the first stage in moving towards a deployable production solution would seem to be to run one (or preferrably a few) DNS Privacy servers as research experiments. This would allow practical experience of running the service at scale and serve as a research platform for other DNS Privacy activities. A number of organisations have expressed interest in running such a DNS Privacy enabled server and we would like to start a discussion in the RIPE community to see if there is similar interest from within this group. We would very much like to hear from interested parties who might consider becoming involved in this effort. Additionally, there have also been exploratory discussions around the possibility of RIPE NCC running such a service as a limited fixed term pilot, if there was sufficient support from the RIPE members. This seems to be something that would fit well with the mission of the RIPE NCC and we would like to hear views from the community about this proposal. There will be a short presentation in the RIPE DNS working group tomorrow on this topic, so please participate if you are interested. Regards Sara.
Hi Sara, On 05/25/16 11:11, Sara Dickinson wrote:
A number of organisations have expressed interest in running such a DNS Privacy enabled server and we would like to start a discussion in the RIPE community to see if there is similar interest from within this group. We would very much like to hear from interested parties who might consider becoming involved in this effort.
I can't promise anything but we, DNS-OARC, should be able to set up this on our Open DNSSEC-validating Resolvers (or in some other way) along with some graphs showing the utilization. https://www.dns-oarc.net/oarc/services/odvr Cheers, Jerry
On 25 May 2016, at 16:19, Jerry Lundström <jerry@dns-oarc.net> wrote:
Hi Sara,
On 05/25/16 11:11, Sara Dickinson wrote:
A number of organisations have expressed interest in running such a DNS Privacy enabled server and we would like to start a discussion in the RIPE community to see if there is similar interest from within this group. We would very much like to hear from interested parties who might consider becoming involved in this effort.
I can't promise anything but we, DNS-OARC, should be able to set up this on our Open DNSSEC-validating Resolvers (or in some other way) along with some graphs showing the utilization.
Jerry (and OARC), Many thanks for the interest - this seems a good fit for OARC. Sara.
Jerry, This sounds like a wonderful opportunity and I look forward to continued discussion. Taking a look at the ODVR link, one thing that jumps out at me is the contrast between end-users purposefully using the server for privacy and the provision of their DNS query data to the OARC membership. Even with the great OARC policies around data use, this seems to need work. Sara mentioned to me that there is current OARC member discussion of anonymizing data sets, and I think this would be a good experimental platform for anonymizing/de-identifying from day 1. Allison On 25 May 2016 at 10:19, Jerry Lundström <jerry@dns-oarc.net> wrote:
Hi Sara,
On 05/25/16 11:11, Sara Dickinson wrote:
A number of organisations have expressed interest in running such a DNS Privacy enabled server and we would like to start a discussion in the RIPE community to see if there is similar interest from within this group. We would very much like to hear from interested parties who might consider becoming involved in this effort.
I can't promise anything but we, DNS-OARC, should be able to set up this on our Open DNSSEC-validating Resolvers (or in some other way) along with some graphs showing the utilization.
https://www.dns-oarc.net/oarc/services/odvr
Cheers, Jerry
Hi Allison, On 05/26/16 16:58, Allison Mankin wrote:
Taking a look at the ODVR link, one thing that jumps out at me is the contrast between end-users purposefully using the server for privacy and the provision of their DNS query data to the OARC membership.
ODVR was just a thought and at the time the purpose of this was not known. Sara just presented the purpose and before we start doing anything we need to discuss it more. Cheers, Jerry
On Wed, May 25, 2016 at 11:11:08AM +0200, Sara Dickinson <sara@sinodun.com> wrote a message of 32 lines which said:
A number of organisations have expressed interest in running such a DNS Privacy enabled server and we would like to start a discussion in the RIPE community to see if there is similar interest from within this group.
Very good idea (today, we lack public privacy-enabled name servers.) Note that, since it uses TCP only, it won't be used for reflection attacks.
participants (4)
-
Allison Mankin
-
Jerry Lundström
-
Sara Dickinson
-
Stephane Bortzmeyer