> Sure, let's be explicit. Proposed addition to the policy section: > > If a recursive resolver does not respond on port 443 or set up a TLS > session, the stub resolver MAY use the normal DNS protocol on port 53. >
I'm not a fan of making it possible for an attacker to downgrade with a single (non-cryptographically protected) TCP RST packet. If I configure a resolver and declare it to be secure (and use it as such), why not fail closed? Why not detect that as an attack or as outright network censorship? This seems to fail if there is an active attacker that blocks TLS traffic - is there a way for the resolver to somehow learn in-band on port 53 that this attack is happening? All the best, Jacob _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
