Hi all, Now that we've had some time to let the ideas settle, I'd like to discuss what would be required in order for the WG to adopt draft-rescorla-dprive-adox-latest.
>From my perspective, the primary open question is the wisdom of having some kind of record in the parent domain. For the reasons I indicated in my presentation and in Section 6, if we are unable to securely indicate the use of ADoX in the parent, it will not be possible to protect many queries (i.e., those for the apex). I note that this is also embodied in: https://www.ietf.org/archive/id/draft-pp-dprive-common-features-00.txt and https://www.ietf.org/archive/id/draft-ietf-dprive-unauth-to-authoritative-00.txt While I understand that there are people who have reservations about whether it will be practical to popuate the parent, I think the analysis cited above suggests that there will be comparatively little value in attempting to have a non-opportunistic mode without this feature (regardless of which record it is encoded in). So, from my perspective, the question is: 1. Do we want a non-opportunistic mode? [My answer, of course, is yes] 2. Is this proposal a plausible starting point for that? If the answer to both of those question is "yes", then I'd like to ask for adoption. If not, can we try to dig into each of them? -Ekr
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
