Here are a few responses to the initial draft. I will try to be on the call unless we lose power again.
There are many parts of the "core requirements" that seem out of place. - Resolvers have never had to understand the different between the root zone and TLDs and SLDs and "other", so introducing that here might cause bikeshedding and lack of adoption. A simpler core requirement would be that DoT is required between resolvers and any interested authoritative server. - QNAME minimization is orthogonal to adding cryptographic privacy. If you have a cryptographic tunnel, QNAME minimization adds overhead and the risk of additional round trips. On the other hand, some resolvers are perfectly happy using QNAME minimization all the time, so they shouldn't have to know whether to change settings if DoT is in use. - The aggressive caching requirement mixes up aggressive caching and normal caching in the all-caps bit. Aggressive caching will reduce the number of TLS connections you need to set up, so it is a positive, but it is unclear how requiring it in order to use ADoT could be enforced. - DNSSEC validation is orthogonal to adding cryptographic privacy. --Paul Hoffman _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
