On Aug 3, 2021, at 1:34 PM, Ben Schwartz <[email protected]> wrote: > > In my view, > > 1. We should provide guidance on how to do unauthenticated DoT/Q using > default-port probing, like we used to have in > https://datatracker.ietf.org/doc/html/draft-ietf-dprive-opportunistic-adotq-00. > > 2. Publishing a SVCB record should indicate support for authenticated > encryption. Nameservers that don't support authenticated encryption can > offer opportunistic encryption based on default-port probing. > > 3. We should allow nameservers to indicate support for authentication via > common PKI, DANE, or both. > > 4. SVCB and TLSA records are a firm promise, but resolver behavior is always > up to the operator. They can choose whether to "fail closed", skip > authentication, fall back to UDP, etc.
If the WG is going to go to DS in the parent to have a signed signaling response, it would make sense that the signal in the child have an identical format. If we go with that, I'd rather see CDS be used in the child instead of SVCB. I like using #4 as a way to bridge the two use cases (well, the stated unauthenticated use case and whatever fully-authenticated use case eventually gets published). That way, resolvers that have the unauthenticated use case have more reliable ways to get the signal, and also can get a signal for DoH. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
