On Wed, Nov 13, 2013 at 04:21:26PM +0000,
Wiley, Glen <[email protected]> wrote
a message of 150 lines which said:
> While I certainly support the idea of confidential DNS, I wonder
> whether it is a good idea to impose the overhead involved in TLS on
> the high volume name servers?
First, it may not be TLS. I mention dnscrypt and there is also at
least one (not published yet) proposal to encrypt DNS without TLS (or
DTLS).
Second, I do not think we want to impose anything ("MUST encrypt all
queries and MUST accept encrypted queries"...) My vision is that some
servers will adopt encryption and not all. The resolvers will have to
decide (local policy) what to do if the remote server does not support
encryption.
This approach seems the only realistic one, for incremental
deployment. An interesting consequence is that the end-user will have
trouble knowing if his queries are encrypted or not (specially if his
resolver uses a forwarded).
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
