On Sep 19, 2023, at 09:01, Rob Wilton (rwilton) <[email protected]> wrote: > > Hi Paul, > > One question/comment on one of your discuss comments inline
> [Rob Wilton (rwilton)] > > This makes sense, but do we know what proportion of authoritative servers > will have DoT/DoQ enabled? E.g., is this something that the latest version > of common DNS server software enables by default, or does it require extract > proactive configuration? Currently, my guess is about 0% > I can imagine that if lots of users hit a 3-5s delays for their queries then > that could be really annoying. I agree one should only do this to the user via opt-in. Note that users running their own recursive resolvers are already voluntarily taking a delay. And for those recursive servers that are used by many users, this delay would be hardly noticeable as it only happens once a day or less and with prefetching could happen even less. I guess there is a big deployment requirement difference between using a stub to a recursive or running a recursive yourself, which the current document doesn’t consider. > This is also potentially something that could be changed in the future. > I.e., default to also sending in the clear now, but with a plan to > subsequently change the default behaviour a couple of years down the line. > I.e., a phased migration. A couple of years down the line, I was hoping to have authenticated DoT/DoQ and not unilateral probing with unauthenticated TLS. Paul _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
