Paul Hoffman <paul.hoff...@icann.org> wrote: > On Oct 1, 2018, at 8:50 AM, Tony Finch <d...@dotat.at> wrote: > > > > Paul Hoffman <paul.hoff...@icann.org> wrote: > >> > >> During earlier discussions of opportunistic encryption in the IETF, > >> attempted-but-not-required authentication was strongly preferred over > >> "don't even attempt to authenticate". > > > > This is only worthwhile if there is downgrade protection, i.e. the client > > needs to be able to tell if it is supposed to be able to rely on an > > authentication mechanism (e.g. using DANE). Without downgrade protection > > it's equivalent to encryption without authentication. > > We have to be careful when we are talking about recursive resolvers. By > "client" above, I think you mean "customer of the recursive resolver" > and not "the side of the recursive resolver talking to authoritative > servers".
No, I'm thinking in terms of client = recursive, server = authoritative, which are the ends of the connection that we want to improve. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Hebrides, Bailey, Fair Isle, Faeroes, Southeast Iceland: Variable 3 or 4 at first in east Fair Isle, otherwise cyclonic or westerly 6 to gale 8, increasing severe gale 9 for a time, then decreasing 4 at times later. Moderate or rough, becoming very rough or high for a time. Rain or squally showers. Good, occasionally poor. _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy