[kwlug-disc] CIRA Canadian Shield DNS
Chris Irwin
chris at chrisirwin.ca
Tue Apr 7 16:18:03 EDT 2020
(Quick aside, can somebody ack the list to ensure this was received?
Particularly if you're on a large host like gmail/o365/etc? I've got
SPF, DKIM, and DMARC set up and am curious if it affects re-delivery via
mail lists)
Just curious if anybody has thoughts on CIRA's new "Canadian-Shield"
DNS?
https://www.cira.ca/cybersecurity-services/canadian-shield
Big selling features seem to be:
* Keeping data inside Canada
* DNS, DoT, and DoH support
* CIRA being a non-profit
Their FAQ and privacy policy addresses a few privacy concerns, as well:
https://www.cira.ca/cybersecurity-services/canadian-shield/faq
https://www.cira.ca/cybersecurity-services/canadian-shield/privacy
The summary seems to be:
* Don't use personal info for themselves or third parties
* Queries with IPs are logged for 24 hours to detect abuse
* Specifically, they mention IPs removed after 24 hours
* After 24 hours, only aggreggate data retained
Optional DNS-level malware filtering, and optional "family" filters are
available as well. Apparently the family filter blocks Reddit (which to
be fair...). I've been using the malware-filtering DNS for a few days
without complaint.
I did have some issues confirming it was working due to some agressive
DNSSEC enforcement on my router (their non-propigated test domains are
not signed, but the rest of cira.ca is, so my router was refusing to
return an unsigned result for a signed domain). That's not specific to
this DNS, however.
--
Chris Irwin
email: chris at chrisirwin.ca
xmpp: chris at chrisirwin.ca
web: https://chrisirwin.ca
More information about the kwlug-disc
mailing list