[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] Apple's iCloud+ "VPN"

>> On Sat, 26 Jun 2021, Bill Woodcock wrote:
>> Putting aside all of the rest of your arguments, some of which I very much agree with, and others of which I disagree with to one degree or other, I think you should be advocating, as I am, for implementation of Extended DNS Errors.  A huge part of the problem, from my point of view, is that users are denied knowledge of _why_ the DNS has not answered their query.

> On Jul 7, 2021, at 9:32 AM, Paul Wouters <paul AT nohats.ca> wrote:
> if those errors can be used by the user/DNS software to mark these
> answers as "censored" to ask another resource, and thus circumventing
> the block, the courts will blame that on the DNS provider too, and
> would likely want them to stop returning these extended errors.

Hm.  Another post I partly agree with and partly disagree with.  What a court might or might not do in the future should in no way influence the production and promulgation of correct engineering solutions in the standards process.

> That won't help because these errors have no authentication.

That, on the other hand, is a deficiency which had not been obvious to me until you pointed it out, and now is.  If you’re saying that you believe DNS Extended Errors should include a mechanism for the server generating the error to identify itself and sign the error message, then I agree, and in retrospect this seems like an oversight which should be remedied, and remembered for the future.


Attachment: signature.asc
Description: Message signed with OpenPGP

The cryptography mailing list
cryptography AT metzdowd.com