On Mon, 28 Sep 2020 at 12:33, Eliot Lear <[email protected]> wrote: > Tiru > > On 28 Sep 2020, at 08:52, tirumal reddy <[email protected]> wrote: > >> >> Not necessarily. That is a matter of signaling between the CPE and the >> ISP. >> > > No, the special use domain name (SUDN) does not require any update to the > CPE. The signaling from the endpoint is resolved by the ISP DNS recursive > server and, it is not between the CPE and the ISP. > > > All I am saying is this: > > ,--------. ,---. ,------. > |Endpoint| |CPE| |ISPDNS| > `---+----' `-+-' `--+---' > | 1 A/AAAA Query | > | ---------------------------------> > | | | > | 2 Response(A/AAAA) | > | <--------------------------------- > | | | > | |3 add ACL/TR.369| > | | or similar | > | |<---------------- > ,---+----. ,-+-. ,--+---. > |Endpoint| |CPE| |ISPDNS| > `--------' `---' `------' > > You can substitute “ISPDNS” for whoever offers the CPE (like > Google/Eero/etc, so long as the DNS infra and CPE know about one another > and agree on a control channel). >
Yes, that should work for managed CPE. ISPs and security vendors want to host a encrypted DNS forwarder on the home router itself, see https://tools.ietf.org/html/draft-box-add-requirements-00#section-3.1.2 and https://tools.ietf.org/html/draft-campling-operator-observations-00 -Tiru > > Eliot > >
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
