Warren, On Nov 3, 2019, at 7:27 AM, Warren Kumari <[email protected]> wrote: > Can you expand on this? Is the convention that if I see x-dot.example.com > <http://x-dot.example.com/>, then I should expect DoT? > > Yup, that’s it exactly. > > As a DNS person, encoding semantics into the name makes me twitch, and I’m > concerned we eventually end up with: > x-dot-doh-ipv4-and-IPv6-I-also-support-tcp-far-our-in-the-uncharted-backwaters-of-the-western-spiral-arm.example.com > > <http://x-dot-doh-ipv4-and-ipv6-i-also-support-tcp-far-our-in-the-uncharted-backwaters-of-the-western-spiral-arm.example.com/>, > but as a pragmatic and deployment it seem to work. > > A suitably positioned *active* attacker could probably still cause a > downgrade (because glue isn’t signed), but it requires much more work on the > attackers part than: > deny I do any any 853 > permit ip any any > > This also gives us the opportunity for a bikeshed discussion re: what label > to use :-)
Oh! Bikeshedding! Yay! You could do x-<ldh-encoded bit string of binary options indicating support for various transport technologies>.example.com! What’s the emoji for tongue-in-cheek again? Regards, -drc
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
