On Wed, 25 Mar 2015, Nico Williams wrote:
Any IPsec-based proposals for DNS confidentiality would seem to belong in DPRIVE WG, not DANE WG. DPRIVE's approach seems to be: secure the stub resolver to recursive resolver connection. IPsec fits in that approach, and all that's needed is traditional IPsec configuration learned from DHCP or DHCP plus DNS.
You can already connect using Opportunistic IPsec to oe.libreswan.org using AUTH_NULL, which is as secure as trusting a random key from a random dhcp server. I've added a DNS resolver on it, which is open to anyone that connects with AUTH_NULL IKE/IPsec. Paul _______________________________________________ dane mailing list dane@ietf.org https://www.ietf.org/mailman/listinfo/dane