>> At this point we say:
>>
>> Implementations therefore
>> SHOULD avoid using this option if the DNS transport is not encrypted.
>>
>> If you did allow this on unencrypted dns transport this seems like it
>> serves as a utility function for DNS amplification.
>>
>> Wouldn't it be better to say MUST NOT?
>>
>> e.g. this is exclusively for use with TLS / DTLS supporting sessions?
>
> If you're running your DNS over IPsec or an SSLVPN
> then using this might also be ok. So while a "MUST NOT
> use in clear" does seem like it might be correct, that's
> not the same as "MUST NOT except if using (D)TLS"
Is there a difference between what it says ("if the DNS transport is
not encrypted") and what you said ("in the clear")? Would there be a
reason not to change "SHOULD" to "MUST" in the existing text?
b
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
