[dns-operations] Research Project: Identifying DNSSEC Validators

Vernon Schryver vjs at rhyolite.com
Thu Sep 6 23:07:28 UTC 2012

> From: =?ISO-8859-1?Q?Matth=E4us_Wander?= <matthaeus.wander at uni-due.de>

> > I assume I'm odd, because I'm not eagar to put the invisible HREF
> > anchor on my web pages because of the extra DNS transactions imposed
> > on users.  I also have vague worries I can't articulate about privacy
> > concerns.
> >=20
> > My answer to putting a simple <IMG> beacon on my web pages would
> > be a flat "never."  There are too many technical and legal issues.
> > For example, what about privacy issues with the referer string?
> >=20

> Can't argue with that. If privacy is an issue, you won't become friends
> with foreign HTTP resources.

I don't understand that.  Whether an HTTP server is foreign or domestic
(for any value of domestic) does not by itself determine its
trustworthiness.  I start by assuming any HTTP server is untrustworthy,
but that doesn't imply that I should involve third parties.

The privacy issues I meant involve the third parties counting DNSSEC
aware resolvers.  The commercial hit counters also claim to be
trustworthy, even as they sell their measurements.  I assume that none
of you guys would do something like correlating referer strings, your
results, and WHOIS or other e-appended values to send email to web
masters offering to sell better DNS resolver software.  I also assume
that if a financial institution put your beacons on their TLS web
pages, none would try to 'leverage' the resulting referer, weak DNS
resolver, and IP address data.  And so forth and so on including other
attacks I can't imagine.  However, a security policy based on assumed
good intentions is incompetent.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list