On Tue, 2020-05-19 at 11:51 +0200, Mikael Abrahamsson wrote:
> On Tue, 19 May 2020, Peter van Dijk wrote:
>
> > please find below all details about our proposal for enabling DoT from
> > resolver to authoritative.
>
> Thanks, interesting approach.
Thanks!
> Some thoughts...
>
> "If the DoT connection is unsuccessful or the public key
> supplied the server does not match one of the DS digests, the
> resolver MUST NOT fall back to unencrypted Do53."
>
> Can we somehow make this behavior configurable by means of a flag (or
> something) by the domain holder? To say if fallback is ok or not?
Yes, we have imagined a few ways to make that possible:
* careful use of DNSKEY flags
* a special DNSKEY value ('empty')
But we've had trouble figuring out a decent use case for allowing the
fallback.
With my 'resolver developer' hat on, I don't want probing/fallback code
in the hot resolution path, it adds complexity and hurts performance.
> Also, when I want to roll keys, can I specify multiple keys during this
> key roll period?
Yes, specifying multiple keys (i.e. placing multiple DS records) is allowed.
This is necessary because separate NSes might have different keys, and
conveniently this enables key rolling as well.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy
