Hi Paul, On 10/1/21 11:07 AM, Paul Hoffman wrote: > On Oct 1, 2021, at 4:50 AM, Brian Haberman <[email protected]> wrote: >> >> On 9/23/21 2:17 PM, Ben Schwartz wrote: >>> >>> I think this clarifies an important requirements question for the working >>> group: do we intend to enable authenticated ADoT for names whose TLD >>> doesn't do ADoT? If yes, we need a way to authenticate the NS name and a >>> signal for ADoT support. If no, we can rely on the parent's ADoT to >>> authenticate the glue (as suggested in draft-adox). >> >> I purposely waited a week to see if anyone would venture an answer to >> this query. From my perspective, as co-chair, the lack of an answer is >> quite telling. To me, it indicates that the WG is still not sure where >> it wants to go with this work. > > If "this work" means authenticated ADoT, I agree. If "this work" means "DS > glue", I disagree. The presence of DS glue for resolvers that are doing > unauthenticated DoT allows for more encryption of DNS on the Internet. >
Sorry for the lack of clarity. I specifically meant the ADoT work. >> I would contend that the only consistent >> view I have heard from everyone is that there is not a need to >> authenticate or encrypt to the root servers. After that, I see a lack of >> consensus on: >> >> 1. ADoT support at TLDs >> 2. ADoT support at parents for children doing ADoT >> >> Granted, in most cases #1 is a degenerate case of #2. > > Given that, can we move forward with the unauthenticated use case, for which > there has been a lot of interest? Or do we have to reach consensus on one use > case for both of them to move forward? > I see no reason to slow the effort on the unauthenticated use case. Regards, Brian
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
