Given that we are (still supposedly) talking about requirements and not solutions, I would be unhappy with a requirement that prevents a resolver that is not validating from being able to use encrypted transport to authoritative servers. Any protocol we develop for ADoT capability discovery should prevent downgrade attacks but should also work fine for resolvers that do not validate.
--Paul Hoffman _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
