On May 26, 2021, at 15:50, Eric Rescorla <e...@rtfm.com> wrote:
>
>
>> The SVCB glue is just a slight optimization. I don't think it can even save
>> latency, just a packet per NS (and only in cases where the SVCB exists).
>>
> As noted in my presentation, it's more than an optimization. It's an
> important security function in cases where the sensitive domain name is the
> apex.
Can you clarify what you mean? Isn’t the APEX of the domain name the domain
name?
I suspect you mean to say if the NS record is in bailiwick of the domain, eg
ns0.nohats.ca serving the domain nohats.ca.
If so, then the IP address and glue is also available in the parent zone and
connecting encrypted to 193.110.157.102 is trivial to track down as talking to
ns0.nohats.ca. How long does it take to run “dig ns $name.ca @a.ca-servers.ca”
for all domain names you find ending in .ca ?
If not, then i would like to understand better what you are trying to protect.
Paul
_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy
