On Wed, 6 Nov 2019, Paul Hoffman wrote:
Given that we are (still supposedly) talking about requirements and not solutions, I would be unhappy with a requirement that prevents a resolver that is not validating
Why would a _resolver_ not be validating ? I understand the reasons for web applications that do not want to do validating, though I disagree with those. But for actual DNS resolvers, running as DNS caching server on either laptop or in an enterprise, I see no valid reason why it should not be validating at this point.
Any protocol we develop for ADoT capability discovery should prevent downgrade attacks but should also work fine for resolvers that do not validate.
I strongly disagree. Resolvers towards Authoritative servers are core infrastructure, and that core should have no problems using the latest DNS RFC's. Paul _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
