On Mon, Feb 15, 2021 at 2:37 PM Stephen Farrell <[email protected]> wrote:
> > Hiya, > > On 15/02/2021 22:31, Eric Rescorla wrote: > > This doesn't sound like a very good idea to me. IMO we should only > specify > > a protocol that authenticates the server. > > Fair enough that that's your preference. How's that gonna > work and be deployable though? > The reason we have WGs is to work out such matters in detail, no? And in particular, I think the WG should try to figure out the problem space before designing. However, it seems like there's a relatively obvious strawman proposal here: - We invent some mechanism that allows you to specify in an NS record that the server takes TLS (as a hacky example, "servers have to be named <some-sentinel>.example.com"). - Servers are authenticated via the WebPKI, with the name as listed above. I'm sure there are plenty of things that people won't like about this (e.g., I imagine that some people would like to use DNSSEC), and the signal I just invented is gross. Maybe in the process of deciding what people don't like about this, we can understand the problem space better. -Ekr
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
