> -----Original Message----- > From: dns-privacy <[email protected]> On Behalf Of Neil Cook > Sent: Wednesday, November 27, 2019 3:02 PM > To: Phillip Hallam-Baker <[email protected]> > Cc: [email protected] > Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery' > > CAUTION: External email. Do not click links or open attachments unless you > recognize the sender and know the content is safe. > > > > > On 26 Nov 2019, at 17:35, Phillip Hallam-Baker <[email protected]> > wrote: > > > > So what I see is a requirement for DNS resolver configuration. We already > have rfc6763 to tell us how to get from a DNS label to an Internet service. > Albeit one that presupposes the existence of a resolution mechanism. I don't > see it being problematic to use the local DNS to do this resolution provided > that 1) we have the means to authenticate the connection and 2) we only > use this mechanism once, to perform initial configuration. > > > > How will the connection to the local resolver be authenticated? Also, > presumably this mandates the use of DNSSEC by the client?
The client can validate the server certificate signed by a CA, and it will work for Enterprise deployments. However, it will be challenging for the DNS forwarder co-located on the home router to get the certificate signed by CA today but may be possible in future with ACME https://tools.ietf.org/html/draft-ietf-acme-ip-08 and IPv6. -Tiru > > Neil > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
