On Mon, Nov 04, 2019 at 07:12:46AM -0800, Eric Rescorla <[email protected]> wrote a message of 96 lines which said:
> I'm less worried about the latter because I would expect recursive > resolvers to generally be operated by people who are able to > establish their port 853 status. Not all resolvers are big boxes in the central datacenter. I may want to run a resolver on a small box at home even if my ISP blocks port 853. > Well, this is why I asked about the threat model. If we care about > active attack, then this kind of approach does not work well. I tend to agree with Stephen Farrell here. If we insist on perfect resistance to active attackers, we may never deploy anything. I would suggest something more like "probe 853, remember what it was last time (to warn the sysadmin about a sudden block), may be allow to whitelist auth servers that must have DoT". For signaling, my personal preference goes to DANE, anyway. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
