On Fri, 12 Feb 2021, Joe Abley wrote:
I have discovered that without liberal access to bars and hallways at in-person IETF meetings, I no longer know how to tell the difference between ambition and insanity when it comes to technical proposals. I am quite prepared to find out that in this case the needle is at the crazy end of the scale.
So I think execsum is, REFER is like NS for client, but signed like DS. What does that buy us. A MITM can't forge the NS to trick a validator to a dead end (presuming a DS protects them from actual bogus data) That is the same gain from getting TLS to AUTH servers. But REFER works without needing transport security. For everyone else downstream of the validating resolver, they ofcourse can already be given DS plus child-side (signed) NS records. And this solution would still be missing a pubkey that can be used to encrypt the connection to the delegated child zone nameservers. Seeing how things would likely misimplement REFER, or run into issues because it gets semi supported through generic records and just flies along the wrong side of the zone cut, I'd say the dangers of this do not outweigh the gains. If we do something drastic like this, at least provide not only the validatable child NS records, also provide whatever is needed to setup a fully encrypted connetion to the child's nameserver's so we can get a fully private query chain with no leaks. Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
