Hi Ben, On 9/23/21 2:17 PM, Ben Schwartz wrote: > On Thu, Sep 23, 2021 at 12:53 PM Petr Špaček <[email protected]> wrote: > >> On 20. 09. 21 18:12, Ben Schwartz wrote: >> > ... > >>> 2: communication to TLD servers. I believe we have very >>> privacy-interesting data in QNAMEs there already, arguably even the >>> most >>> sensitive parts. >>> >>> >>> In general, I agree. However, there are some cases where the lower >>> labels are more sensitive (e.g. tumblr.com <http://tumblr.com>). >> >> I do not dispute there are sites that might benefit, but I think we have >> to keep the big picture in mind. >> >> 1] The second label is very often sensitive. To me, a non-sensitive >> second label seems more of an exception. >> > > I think this clarifies an important requirements question for the working > group: do we intend to enable authenticated ADoT for names whose TLD > doesn't do ADoT? If yes, we need a way to authenticate the NS name and a > signal for ADoT support. If no, we can rely on the parent's ADoT to > authenticate the glue (as suggested in draft-adox).
I purposely waited a week to see if anyone would venture an answer to this query. From my perspective, as co-chair, the lack of an answer is quite telling. To me, it indicates that the WG is still not sure where it wants to go with this work. I would contend that the only consistent view I have heard from everyone is that there is not a need to authenticate or encrypt to the root servers. After that, I see a lack of consensus on: 1. ADoT support at TLDs 2. ADoT support at parents for children doing ADoT Granted, in most cases #1 is a degenerate case of #2. Regards, Brian
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
