Matthäus Wander wrote: > * Paul Vixie [7/5/2014 5:04 AM]: >> datagram level channel secrecy (for example, DTLS or IPSEC) offers a >> solution which matches the existing datagram level UDP transport used >> primarily by DNS. however, the all-pervasive middleboxes (small plastic >> CPE devices installed by the hundreds of millions by DSL and Cable and >> other providers) have been shown to be more powerful than IPv6, DNSSEC, >> and EDNS -- we could expect them to prevent any new datagram level >> channel secrecy protocol we might otherwise wish to employ. > > DTLS works on top of UDP (among others) and thus can pass CPE devices.
no, it cannot. DTLS does not look something that the CPE was programmed to accept; thus in many cases it is silently dropped.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop