Am 11.03.19 um 17:20 schrieb manu tman:
> I have captured in a draft the mechanism I used during IETF 103 hackathon and
> which is available aan experimental module in knot-resolver[0].
> I was taken short with time before cit-off date, but I hope this will better
> explain how it works.
Hello,
for many years I run a dnscurve proxy [1] infront of my nameservers.
Worked perfect but virtually nobody used the encryption feature.
So, the draft *is* interesting to me...
two points comes to my mind while reading the draft:
1.
key rotation is hard.
2.
what's the reason for "In opportunistic mode, the resolver MUST use the
authoritative name server despite the failure." ?
A server operator can't distinguish between a resolver in strict mode an a
resolver in opportunistic mode TOGETHER with a failure (on server side?)
An other option is to force any resolver supporting "dot-" names to fall back
on port 53.
Andreas
[1] http://curvedns.on2it.net/
_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy