Moin! As technology didn’t work here are the comments I wanted to make on the mic:
The draft mainly seems to focus on a single recursive to authoritative interaction. Most domains have more then on name server and the selection of them often is quite complex and differs between implementations ( I recall some very interesting and entraining DNS-OARC talks about that topic, though don’t have links handy ). Now what shall a resolver do if 1 out of the say 4 servers offers encryption and the others not? And when it later comest to signals on the domain level a full cold recursion often goes to multiple TLDs, SLDs that all have different name servers, at what level should the resolver fail? While the IP address might be a good identifier on where to encrypt to we recently had a situation where an authoritative server with the same IP did answer just fine for one domain, but did, because the domain was used in an attack earlier drop all packets if you asked it for another domain. So I think you would need more then just the IP especially if you are wanting to use signals. And answering Brian Dickson on the idea of a client signalling a resolver to encrypt a resolution I think is a non starter for the amount of complexity involved. What would you do if you had a half finished resolution form an non private client and then got a request for the same name again from a privacy wanting client? What to do if the answer in Cache came from an non secure resolution? So long -Ralf ——- Ralf Weber _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
