On Fri, Oct 30, 2020 at 10:03 AM Paul Hoffman <[email protected]> wrote:
> On Oct 30, 2020, at 9:11 AM, Paul Wouters <[email protected]> wrote: > > I still believe the cost of authenticating a DNS(SEC) server is so low > > these days (with ACME available at no cost and with full automation) > > that this draft is better not done. > > The cost in terms of CPU cycles is indeed low. That is not the cost that > is being considered when choosing opportunistic encryption. There is a real > cost to the system if entire zones get server failures due to > authentication mistakes made by the authoritative servers (not renewing > certificates, errors in TLSA records, upstream validation problems that > cause TLSA records not to validate, ...) or resolvers (dropping trust > anchors that are in use, bad validation logic for TLSA, ...). > How is this different from the transition of the Web to HTTPS? Sure, there can be misconfigurations of various kinds, but good operational practices can minimize these, and in return you get strong security. -Ekr
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
