Warren Kumari <[email protected]> wrote: > > If the NS records / labels were _ta.a.iana-servers.net and _ > ta.b.iana-servers.net, that could be used as a positive signal that the > resolver (or if the underscore freaks people out, > dns-o-tls.a.iana-servers.net) is listening on 853 and that an inability > to connect is a security issue.
Several people seem to quite like this kind of idea, and I think it's a good way to reduce latency (since we have to assume that better glue isn't an option). e.g. Willem and Andreas in https://www.ietf.org/mail-archive/web/dns-privacy/current/msg02137.html Regarding the specifics, NS targets are hostnames so they have to conform to RFC 952 syntax (no underscores). I think signalling in the hostname has to be a hint rather than an assertion, since it's vulnerable to a downgrade attack because delegation NS records are unsigned (as Robert pointed out). Putting the hint in the NS name I think makes the TA bit redundant - it's really too late to be helpful. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Southeast Fitzroy: Southwesterly 5 to 7. Slight or moderate becoming rough or very rough. Mainly fair. Good, occasionally poor. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
