[Cryptography] Apple's iCloud+ "VPN"
Bill Woodcock
woody at pch.net
Wed Jul 7 23:04:28 EDT 2021
>> On Sat, 26 Jun 2021, Bill Woodcock wrote:
>> Putting aside all of the rest of your arguments, some of which I very much agree with, and others of which I disagree with to one degree or other, I think you should be advocating, as I am, for implementation of Extended DNS Errors. A huge part of the problem, from my point of view, is that users are denied knowledge of _why_ the DNS has not answered their query.
> On Jul 7, 2021, at 9:32 AM, Paul Wouters <paul at nohats.ca> wrote:
> if those errors can be used by the user/DNS software to mark these
> answers as "censored" to ask another resource, and thus circumventing
> the block, the courts will blame that on the DNS provider too, and
> would likely want them to stop returning these extended errors.
Hm. Another post I partly agree with and partly disagree with. What a court might or might not do in the future should in no way influence the production and promulgation of correct engineering solutions in the standards process.
> That won't help because these errors have no authentication.
That, on the other hand, is a deficiency which had not been obvious to me until you pointed it out, and now is. If you’re saying that you believe DNS Extended Errors should include a mechanism for the server generating the error to identify itself and sign the error message, then I agree, and in retrospect this seems like an oversight which should be remedied, and remembered for the future.
-Bill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210707/09f8f1b8/attachment.sig>
More information about the cryptography
mailing list