Question for DNS experts. Do you know of a DNS resolver software that can be configured to use a different IPv6 privacy address for each outgoing DNS query?
@SteveBellovin This is discussed in the thread. The simplest solution is probably to have the server act as a router, and be the sole user of the IPv6 prefix. Maybe using something like prefix delegation.
@huitema@SteveBellovin what is the goal of the privacy addresses? If it is to prevent tracking, then having them all in the same prefix (whether by SLAAC or PD delegation) seems pretty transparent to me. I think you really want oblivious (Http) or something. I have never understood privacy addresses: they don't help unless you are one of many people at Starbucks.
@mcr314@huitema The original design of stateless autoconfig used the site's network (a /64) and the MAC address of the machine, expanded to 64 bits. That meant that the machine could be tracked across networks, etc., by the low-order 64 bits of the IPv6 address. The purpose of the privacy-preserving addresses was to retain the stateless autoconfig feature (and the consequent ease of administration for small sites), but prevent that sort of tracking.
Add comment