"Christian Huitema" <[email protected]> writes: >> On any other topic I would agree. Breaking DNS should be one of the >> things to worry about. > > Maybe we should make the distinction between "stub resolver" and > "iterative resolver" part of the architecture. This would be very much > the same split as between an mail client and an e-mail server. Email > evolved to use different port numbers for message transmission by SMTP > and message submission via SMTP, not to mention wholly separate > protocols for email retrieval. > > Given that, I would vote for having a distinct port for "stub to > iterative DNS," and of course make TLS mandatory on that port.
I agree. Let's simplify the current DNS-over-TLS document to say it is for stub resolving and to use one dedicated port with TLS from the start. The comparison with how SMTP for submission and transmission on port 25 evolved into separate ports is a good one. And back in those days, it wasn't feasible to demand TLS for all e-mail submission on port 587, so the STARTTLS-approach made sense, but for the work here, having direct TLS a'la HTTPS-style on a separate port makes sense to me. /Simon
signature.asc
Description: PGP signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
