Vittorio Bertola <[email protected]> writes:
> This is actually the recommendation in section 4.6 of my draft :-) And > I agree, it looks like the only possible and reasonable compromise > between the two viewpoints. Another way of stating the preference ordering: If DNS privacy is a goal, systems and applications SHOULD use DNS over TLS to encrypt traffic to their local resolver if possible (unless the system and application distrusts the local resolver infrastructure). Failing that, they MAY next use a DNS over TLS connection to a remote, potentially public, DNS resolver. Failing that, they MAY send DNS traffic over an HTTPS connection. This preserves privacy as desired while still optimizing local caching, round trip speeds, and falling back to the must tunneling only as needed. What no one has convinced me of (personally) is why applications should default to a single resolver over HTTPS at all times, regardless of where I am on the planet. -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
