Anycast provider for SMTP?

Rob Seastrom rs at seastrom.com
Sat Jun 20 13:22:48 UTC 2015


"Joe Abley" <jabley at hopcount.ca> writes:

>   http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02
>
> There are privacy concerns, here. But we might posit that you've
> already in the business of trading privacy for convenience if you're
> using a public resolver.

Personally, I've always thought the privacy concerns of
draft-vandergaast (not of using public recursive servers) are
overwrought.

The entity running the recursive nameserver has knowledge of the exact
address (not just the subnet) that you're sending the query from, by
inspection of the packet.

The entity running the authoritative nameserver does not...  but
unless you're using DNS for some kind of off-label purpose (
http://code.kryo.se/iodine/ comes immediately to mind), the next thing
you'll be doing once you have the reply is opening some kind of
connection to the address returned...  at which point the target
entity will be able to tell the exact address that you're coming from.
This assessment makes the assumption that the folks running the
authoritative DNS servers are either the target entity or its agent.
If that's an invalid assumption, one might say you have bigger
problems.

If someone could explain a privacy concern here that doesn't involve
dipping into my meager tinfoil supply (I'm low and not going to the
grocery until tomorrow), that would be swell.

-r




More information about the NANOG mailing list