On Sun, Aug 1, 2021 at 9:22 PM Martin Thomson <[email protected]> wrote:
> On Fri, Jul 30, 2021, at 06:08, Eric Rescorla wrote: > > - Recursives can attempt to connect to any authoritative by probing > > with DoT/DoQ [0]. In this case, they should cleanly fall back to > > Do53 on connect failure and not validate the credential (whether > > WebPKI or DANE) This allows authoritatives to just turn on TLS > > without risk. > > I assume that your MUST NOT validate here only exists because of the > combination of: > > 1. Us not being able to decide between Web PKI and DANE; and > Largely, though it also allows for incremental rollout and a new auth mechanism. 2. The potential for an unauthenticated mode. > > If we decided on a single answer for the first and in the negative for the > second, would that make authentication viable? Or is the opportunism a > feature? > > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy >
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
