I just re-read that.
I support adoption with a target of being experimental. (It's a bit of a fig leaf, but is correct in this case I think.) I think this will be useful in proportion to the extent to which the WG figure out ways in which this opportunistic mode can evolve towards an authenticated mode. That's not currently in the draft. To try answer Ekr's main criticism of this: ISTM the current absence of any authenticated mechanism proposals does weaken your objection significantly. If we don't know how to solve the problem with authentication, but can see a credible way to experiment with an opportunistic approach, then I think documenting the latter is reasonable, esp if it provides a step on the path to an authenticated solution. To try answer Paul's: sad as it is, "If you can’t secure the DNS with DNSSEC + TLSA at this point in time,..." is still really counterfactual. One *could* secure the DNS with DNSSEC but ~99% of zones have not done that despite many years of elapsed time and the s/w now being available. Jim is correct I think in his criticism - I would hope that the WG would be willing to abandon this if it turns out that the eventual RFC would be purely wishful thinking or would do some actual damage. Cheers, S. On 01/02/2021 20:49, Manu Bretelle wrote:
I support adoption. I think opportunistic encryption will help drive adoption with safe fallbacks which in turn will help building operational experience, as well as will provide opportunities for a feedback loop between implementers and operators, learn, iterate, tweak, and come with best practises that will inform long term solutions. As someone working at an authoritative that provides ADoT [0], I would love to see more diverse adoptions than the current handful of resolver operators as the current data is currently skewed toward 1 specific use-case. Manu [0] https://engineering.fb.com/2018/12/21/security/dns-over-tls/ On Fri, Jan 29, 2021 at 5:24 AM Brian Haberman <[email protected]> wrote:All, This starts a DPRIVE WG call for adoption for draft-pp-recursive-authoritative-opportunistic ( https://datatracker.ietf.org/doc/draft-pp-recursive-authoritative-opportunistic/ ). The focus of the call is the protocol defined in the draft. Please reply to the mailing list with your views on the WG adopting the document and your supporting arguments. This call will end on February 12, 2021 at 11:59pm UTC. Regards, Brian & Tim _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
OpenPGP_0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
