On 11/13/13 4:28 PM, "Stephane Bortzmeyer" <[email protected]> wrote:
>On Wed, Nov 13, 2013 at 04:21:26PM +0000, > Wiley, Glen <[email protected]> wrote > a message of 150 lines which said: > >> While I certainly support the idea of confidential DNS, I wonder >> whether it is a good idea to impose the overhead involved in TLS on >> the high volume name servers? > >First, it may not be TLS. I mention dnscrypt and there is also at >least one (not published yet) proposal to encrypt DNS without TLS (or >DTLS). Thanks - I had TLS on the brain while I was reading. > >Second, I do not think we want to impose anything ("MUST encrypt all >queries and MUST accept encrypted queries"...) My vision is that some >servers will adopt encryption and not all. The resolvers will have to >decide (local policy) what to do if the remote server does not support >encryption. The idea of making it opportunistic makes sense to me. > >This approach seems the only realistic one, for incremental >deployment. An interesting consequence is that the end-user will have >trouble knowing if his queries are encrypted or not (specially if his >resolver uses a forwarded). I agree. If he uses a secure transport then one way for the end user to know whether the queries are encrypted is to handle the iteration himself and hit the authoritative servers directly rather than query a recursive resolver. In order to do anything more definite we would need to alter the DNS protocol. > _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
