The idea of doing discovery in a new type of glue in the parent seems interesting. For the unauthenticated use case, it potentially removes a round trip, and doing so is quite valuable. If the WG likes the idea of new-glue-type-in-parent, Peter and I can add it to the draft covering unauthenticated ADoT to keep the two use cases in sync.
Question: why does this draft use an SVCB record instead of a TLSA record for that new glue? The only advantage I see is that SVCB can indicate the DoH template, but the WG has so far not shown interest in DoH over DoT. If DoH is not desired, using TLSA would give the authenticated use case the key to match against, and do so with the same security properties. A deeper question for the WG is the draft's elevation of unsigned records received in authenticated TLS as trustworthy. This WG has gone back and forth on this idea over the years, and I thought we ended up with no such elevation. If I'm wrong, or if the the WG shifts back to wanting that, that's great. Peter and I could then make the draft that now covers just unauthenticated DNS actually be about opportunistic DNS (optional authentication). --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
