[Cryptography] Apple's iCloud+ "VPN"

Paul Wouters paul at nohats.ca
Wed Jul 7 12:32:08 EDT 2021


On Sat, 26 Jun 2021, Bill Woodcock wrote:

> Putting aside all of the rest of your arguments, some of which I very much agree with, and others of which I disagree with to one degree or other, I think you should be advocating, as I am, for implementation of Extended DNS Errors.  A huge part of the problem, from my point of view, is that users are denied knowledge of _why_ the DNS has not answered their query.

That won't help because these errors have no authentication. And if
those errors can be used by the user/DNS software to mark these
answers as "censored" to ask another resource, and thus circumventing
the block, the courts will blame that on the DNS provider too, and
would likely want them to stop returning these extended errors.

The answer is, use DNSSEC. No one can mess with that without admitting
they are messing with the data. The courts can't change that.

Paul



More information about the cryptography mailing list