On 8/6/20 4:59 PM, Paul Hoffman wrote: > In this use case, a resolver operator says “I’m happy to use encryption with > the authoritative servers if it doesn’t slow down getting answers by much”, > and an authoritative server says “I’m happy to use encryption with the > recursive resolvers if it doesn’t cost me much”.
This motivation confuses me a bit, but perhaps it's just me. I'd expect the extra performance costs to be quite close to authenticated encryption, at least in principle. And the extra privacy gain feels relatively small in comparison. In any case, there may be other common motivations for going opportunistic. For example the fact that for years we don't seem to really move towards consensus about how exactly the authentication could be done, but that motivation would be incompatible with desires like developing these two approaches together - and I must admit I'd really like to minimize incompatibility among the future approaches (DoT and DoH come into mind). I'm sorry if I sound too negative. --Vladimir _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
