Information Technology News.


The IETF is pushing for its controversial DNS request crypto initiative

Share on Twitter.

Sponsered ad: Get a Linux Enterprise server with 92 Gigs of RAM, 16 CPUs and 8 TB of storage at our liquidation sale. Only one left in stock.

Sponsered ad: Order the best SMTP service for your business. Guaranteed or your money back.

May 25, 2016

On any given day, DNS requests and their responses are routinely part of what many countries regard as metadata that they want collected for law enforcement. Now the IETF would like to see them encrypted to protect users from surveillance.

That is what's put forward in RFC 7858: that DNS requests should traverse transport layer security (TLS) links, so as to protect users' requests from potential eavesdropping. But the IETF's new proposal is controversial in a few ways.

To be sure, DNSSec (less-loved than IPv6 but probably inevitable) only offers verification that the response you receive is accurate, by cryptographically signing the DNS zones.

If you've visited nbnco.com.au and the Australian Federal Police has that domain on a warrant, in the data-retention-enabled future Australia, your visit to the site will be among the things your ISP will be expected to retain.

And similar requirements are also appearing around the world. It's now two years since the IETF community decided that pervasive monitoring is an attack, and RFC 7858 is part of that stream of work.

“Contrary to what some may say, initiation of DNS over TLS is very straightforward. By establishing a connection over a well-known port, clients and servers expect and agree to negotiate a TLS session to secure the channel,” says the RFC.

For now however, the main caveat is that some firewalls might block the port (port 853 in the RFC). There's a load on clients to work out which servers support TLS and which don't and both clients and servers need a secure TLS implementation.

The current document sticks to stub clients and recursive servers. And recursive clients are “out-of-scope”, the RFC says, as would most system admins agree to that fact.

As always, the effectiveness of a system like DNS over TLS depends on deployment. If it looks like it's about to taking off, it probably won't be too long before law enforcement decides that the technology has opened up another front in the crypto wars. We'll keep you informed.

Source: The Internet Engineering Task Force (IETF).

Sponsered ad: Get a Linux Enterprise server with 92 Gigs of RAM, 16 CPUs and 8 TB of storage at our liquidation sale. Only one left in stock.

Sponsered ad: Order the best SMTP service for your business. Guaranteed or your money back.

Share on Twitter.

IT News Archives | Site Search | Advertise on IT Direction | Contact | Home

All logos, trade marks or service marks on this site are the property of their respective owners.

Sponsored by Sure Mail™, Avantex and
by Montreal Server Colocation.

       © IT Direction. All rights reserved.