In your letter dated Tue, 10 Jan 2023 11:33:57 -0500 (EST) you wrote: >> However, such a setup leaves the application with no control over >> which transport the proxy uses. > >Why should the application have control over this?
The following is just a thought, I didn't implement it. With local DNS proxies that use encrypted transports there can be a bit of a bootstrap problem is a system boots without any sense of the current time. What might happen is that a NTP client tries to lookup pool.ntp.org. If DNS resolution goes through a proxy that tries to use an encrypted transport, then the proxy may fail because the time is wrong. The NTP client doesn't get any answers so it can't set the clock and the system doesn't boot. In that case, if the NTP client would request DNS resolution over Do53 for its initinal lookup of pool.ntp.org, then the proxy can return a DNS reply and the system can boot normally. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop