On Fri, 14 Dec 2018, Warren Kumari wrote:
On the call, someone (Wes?) proposed an alternative such as records in
the reverse zones. That would be a huge win for
us, since we have a small finite set of nameserver IPs, and easily
control our reverse zones (as, I would imagine, do other
large providers). I wasn't in Bangkok, so I'm not sure if there were any
specific implementation proposals kicked around,
but I'd like to start talking about what that would look like. Something
TLSA-ish at the reverse name for the nameserver
IP? There's obviously some overhead with the recursive having to look
up reverse names for NS IPs, but large TTL values
could help with that.
One of the stated reasons for browsers not doing DANE / TLSA was having to wait
for the TLSA record to come back before you can
connect.
"Ah! Fine..", says I, "Just do these in parallel -- you will get back the TLSA
record at about the same time as the A or AAAA. You
could even be smart and start making the TCP connection if you happen to get back
the A first. There, I fixed it for you...[0]".
Well, TLSA was just an example. My point was that a signalling method
based on the nameserver IPs (however it is implemented) would be far
preferable for larger operators like us (and is no less onerous for zone
owners/registrants who are also operators). I don't think we want to be
in the position of requiring each of our customers to opt-in to this for
each of their (thousands) of zones. We want to be able to turn this on
in bulk, the same we'd support any new protocol feature.
-Jon
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
