Brian Dickson <[email protected]> wrote: > > I think a better comparison (better meaning more relevance and closer > tracking of the transition and operation) would be the transition of SMTP > to SMTP using TLS without downgrade susceptibility.
Yes. That was made a lot more difficult because it went through an intermediate step of unauthenticated TLS, so the protocols and implementations had to be designed to deal with the fact that a very large proportion of existing server certificates were wrong. I would prefer not to have to deal with that again. > First, a simple assertion: DoTA is only possible/available if it is > configured by the authoritative DNS operator. Thus, the control of the > state of whether DoTA is available for zones operated by that operator, > resides entirely with the operator. This also means that, depending on > how DoTA availability is signalled or detected, the methods of > correcting faults in the DoTA operation can vary. Thus, selecting > signalling/detection mechanisms should take the corrective actions > available into consideration. IMHO this should actually dominate the > design. Yes. > Third, I'll restate it here: The important characteristic is that whatever > method(s) are used, they need to be completely downgrade resistant to all > attack mechanisms, and they need to fail safe. With the caveat that incremental deployment needs to be possible: If a zone is hosted by multiple authoritative providers, it should be possible for one of those providers to deploy DoT without the co-operation of the zone owner or other providers, and without compromising the availability of the zone. That implies a zone only gets a guaranteed private transport if all of its authoritative providers guarantee a private transport. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Sole: East 4 to 6, occasionally 7 at first. Rough. Showers later. Good. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
