On Fri, Jul 30, 2021, at 06:08, Eric Rescorla wrote: > - Recursives can attempt to connect to any authoritative by probing > with DoT/DoQ [0]. In this case, they should cleanly fall back to > Do53 on connect failure and not validate the credential (whether > WebPKI or DANE) This allows authoritatives to just turn on TLS > without risk.
I assume that your MUST NOT validate here only exists because of the combination of: 1. Us not being able to decide between Web PKI and DANE; and 2. The potential for an unauthenticated mode. If we decided on a single answer for the first and in the negative for the second, would that make authentication viable? Or is the opportunism a feature? _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
