In article <CABcZeBOBFFi=da_xezhkyvru6kzvnd5cmqcmoyriyusdh0r...@mail.gmail.com> you write: >Conversely, what made opportunistic style approaches viable for >SMTP was that there was an existing protocol handshake that >could be conveniently adopted to have upward negotiation (STARTTLS). ...
>In this case, I think the relevant question is whether there is some >viable mechanism (by which I mean one that people might actually >use) by which recursive resolvers would, in talking to an authoritative >resolver, detect that that resolver supported secure transport and >upgrade. It's easy enough to imagine an EDNS option that asks whether a server supports ADoT, that the client can use as a signal to try again on port 853. This is roughly the same amount of traffic as using STARTTLS in SMTP, but I have no idea whether the DNS crowd would think it's OK, or too horribly slow, or we're not interested because you can fake it out and force downgrades. (SMTP also has that last problem, of course, at least until MTA-STS and/or signed TLSA.) R's, John PS: there's always dnscurve _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
