On Mon, Oct 19, 2015 at 09:58:41PM +0200, Witold Kręcicki <[email protected]> wrote a message of 28 lines which said:
> I've just posted an updated version of Stateless DNS Encryption > draft, it still has holes and unaswered questions but it's now > almost implementable. Interesting, I think. The pros: simpler than TLS and may be less traffic (any actual sizing, either in theory or by measurements? TLS has some overhead but DNSENC requires sending a key with each request. You give the numbers for DNSENC but not for TLS). The cons: DNS-over-TLS can be implemented as a simple transport, irrelevant for the upper layers of the DNS server and client. DNSENC requires the server to memorize the key while the request is pending so you need to change the purely-DNS part of the server. The neutrals: it is not TLS. I let you decided if it's a pro or a con. It requires DNSSEC. Technical issues: "NSK RRsets MUST NOT appear at a zone's apex." And then an example with NSK at the apex... _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
