On Tue, 2020-05-19 at 11:51 +0200, Mikael Abrahamsson wrote: > On Tue, 19 May 2020, Peter van Dijk wrote: > > > please find below all details about our proposal for enabling DoT from > > resolver to authoritative. > > Thanks, interesting approach.
Thanks! > Some thoughts... > > "If the DoT connection is unsuccessful or the public key > supplied the server does not match one of the DS digests, the > resolver MUST NOT fall back to unencrypted Do53." > > Can we somehow make this behavior configurable by means of a flag (or > something) by the domain holder? To say if fallback is ok or not? Yes, we have imagined a few ways to make that possible: * careful use of DNSKEY flags * a special DNSKEY value ('empty') But we've had trouble figuring out a decent use case for allowing the fallback. With my 'resolver developer' hat on, I don't want probing/fallback code in the hot resolution path, it adds complexity and hurts performance. > Also, when I want to roll keys, can I specify multiple keys during this > key roll period? Yes, specifying multiple keys (i.e. placing multiple DS records) is allowed. This is necessary because separate NSes might have different keys, and conveniently this enables key rolling as well. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy