On Oct 1, 2021, at 4:50 AM, Brian Haberman <[email protected]> wrote: > > On 9/23/21 2:17 PM, Ben Schwartz wrote: >> >> I think this clarifies an important requirements question for the working >> group: do we intend to enable authenticated ADoT for names whose TLD >> doesn't do ADoT? If yes, we need a way to authenticate the NS name and a >> signal for ADoT support. If no, we can rely on the parent's ADoT to >> authenticate the glue (as suggested in draft-adox). > > I purposely waited a week to see if anyone would venture an answer to > this query. From my perspective, as co-chair, the lack of an answer is > quite telling. To me, it indicates that the WG is still not sure where > it wants to go with this work.
If "this work" means authenticated ADoT, I agree. If "this work" means "DS glue", I disagree. The presence of DS glue for resolvers that are doing unauthenticated DoT allows for more encryption of DNS on the Internet. > I would contend that the only consistent > view I have heard from everyone is that there is not a need to > authenticate or encrypt to the root servers. After that, I see a lack of > consensus on: > > 1. ADoT support at TLDs > 2. ADoT support at parents for children doing ADoT > > Granted, in most cases #1 is a degenerate case of #2. Given that, can we move forward with the unauthenticated use case, for which there has been a lot of interest? Or do we have to reach consensus on one use case for both of them to move forward? --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
