Hiya,
On 31/03/2021 01:24, Eric Rescorla wrote:
As I said earlier, this seems overly conservative given our experience with large scale TLS-based services.
For the root servers, I don't get why QNAME minimisation isn't enough? If it is enough, that'd imply to me that the root server operators statement is fine, so long as it is only read to apply to root servers and not TLDs.
With that said, this doesn't seem to me to present a severe problem: there are a relatively small number of TLD servers, so we could probably create a lookaside list of which ones support TLS as suggested in draft-rescorla-dprive-adox-latest-00 Section 3,
I agree that the privacy issues with TLD servers are more worthy of attention and I guess require encryption if we are to improve things. I'm not saying the above draft is a good way to handle that, but the problem in querying TLDs is real, whereas for root servers it seems to me way less of a deal. Or... am I confused? (That happens often:-) Cheers, S.
OpenPGP_0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
