On Sun, Apr 10, 2022 at 09:08:39AM -0700, Daniel Kahn Gillmor wrote: > > On Thu 2022-04-07 16:47:02 +0100, Sara Dickinson wrote: > > > 3) The issue of signalling… I agree there is still work to do to mange > > this. From this reading: > > > - from a client perspective the concept of unilateral probing is > > pretty clear. There is a defined behavior for direct probing, which > > will be different from the behavior if 'external coordination' is > > available. > > > > - however servers can't know for sure how the client discovered them > > or how/if they are authenticating the connection. This document > > doesn't prescribe a way to know that a server is 'only' doing > > unilateral deployment and/or something else, hence the potential > > future issues with signalling. > > > > - given this draft is Informational and is designed to enable > > experiments I can't remember if there has already been discussion of > > using an 'alternative' ALPN for this initial deployment? By that I > > mean, use something like 'doq-p01’(DoQ probing 01) for these kind on > > connections (in the same way I-D tagged ALPNs are used during protocol > > development)? That way each side knows explicitly how to behave and > > statements like "An authoritative DNS server that wants to handle > > unilateral queries' would have clear meaning. Whilst this is taking > > liberties with ALPN and may have already been dismissed as an option, > > it does solve a number of problems in the short term and enable > > negotiation and evolution. Just asking :-) > > This is an interesting question: the proposal to play games with ALPN > hasn't yet been raised to my knowledge. > > Due to ALPN's transport in the clear for a normal TLS handshake, i'd be > reluctant to endorse that use here. I don't think we want a network > observer to know which encrypted transports are opportunistic and which > are due to signalled information. > > I'm also trying to get my head around what such an indicator would be > useful for. Presumably the authoritative server would behave > differently based on that indicator, but i'm having a hard time > imagining what the authoritative server should do differently. Is it > just for statistics/accounting? Can you explain what you think the > purpose of such an indicator would be?
Perhaps there could be separate ALPNs for recursive and authoritative DNS service, with no distinction if authoritative service is opportunistic or not? -Ilari _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
