On 2023-03-29 17:57 +09, Stephane Bortzmeyer <[email protected]> wrote: > On Tue, Mar 28, 2023 at 09:29:46PM +0900, > Ralf Weber <[email protected]> wrote > a message of 30 lines which said: > >> As I don’t think probing for secure transport is a good idea and >> hope that we will come up with better solutions that follows the DNS >> delegation model. > > You mean the parent announcing the zone has ADoT servers? This seems a > good way to have discrepancies between the announce and the reality. > >> While I think using IP addresses for authoritative server selection >> is a natural choice there have been cases where an authoritative >> server on the same IP answers differently deepening on the domain >> asked, which will not work well with the detailed implementation of >> that draft. > > The point is that this draft is an opportunity to state clearly what > we expect from the authoritative name servers. Requesting that all > instances at the same IP address have DoT does not seem unreasonable > but, indeed, it is not written anywhere yet.
One other issue that occurred to me, and again, no commentary if this is a good idea or not, but I do know that people do this: If a resolver sends probe-traffic to port 853 just because there is a nameserver running on the same IP, might trip up thread-intelligence systems and block the resolver IP. -- In my defence, I have been left unsupervised. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
