On Wed, 2020-05-27 at 21:47 -0400, Ben Schwartz wrote: > On Wed, May 27, 2020 at 9:27 PM Paul Wouters <[email protected]> wrote: > > Personally, I think it would be cleanest if we use the DS to signal > > > > the DoT nameserver only by FQDN. > > I agree. This is the design that I was attempting to describe. > > I see now that the chain extension doesn't have to be mandatory. A recursive > that wants to use the extension can offer it. If it doesn't get a chain > extension in the reply, it sends a TLSA query over the
emphasis on: > (as-yet-unauthenticated) TLS connection This means the TLSA query is subject to leakage by MITM. How bad that is depends on a bunch of things, but it is a wart. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
