On Feb 8, 2021, at 09:27, Eric Rescorla <[email protected]> wrote: > > > I do not believe we should adopt this document. > > While I think it would be useful to have a mechanism for auto-upgrading > recursive-to-authoritative resolution to TLS, and that may involve some level > of insecure discovery, the whole emphasis on opportunistic in this draft goes > in the wrong direction. The intent should be to get to the state where you > are secure from active attack as soon as possible.
I agree. If you can’t secure the DNS with DNSSEC + TLSA at this point in time, and need to fall back to unauthenticated encryption for DNS, you might as well give up entirely. Especially since a MITM is very simple to do as attackers know the IPS of the authoritative servers. DNS is a PKI. Unauthenticated encryption for DNS at this point in our DNSSEC deployment makes no more sense. As I have stated previously, I am not in favour of adoption for this document. Paul _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
