On Mon, Jun 06, 2016 at 07:19:31AM -0400, Tim Wicinski <[email protected]> wrote a message of 79 lines which said:
> We started the discussion a few meetings back that we are planning > on recharting to address the resolver-to-authority session. We > (warren and myself) wanted to wait until we've started seeing > deployment and have gotten some operational data sets that would > give every the warm fuzzy feelings needed to move along. In the mean time, if someone is brave enough to write an individual I-D describing the resolver-to-authority usage of TLS. Distribution of the keys is of course the biggest difference with RFC 7858. The security/authentication model has to be completely different. I see several solutions: * encoding the key in the auth. server name (as in DNScurve) * publishing keys in the DNS, secured with DNSSEC (as in DANE), which raises an interesting bootstrap problem, * not checking the keys at all, accepting anything, * add here your own favorite solution. Documenting these possible choices would certainly help and we don't need rechartering to write/read an individual draft :-) _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
