On Sat, 15 Feb 2014, Stephane Bortzmeyer wrote:
(D)TLS for DNS makes a lot of sense to me.
I fully agree. But do note we did not discuss yet the alternatives
(draft-wijngaards-dnsop-confidentialdns, DNScrypt or simply
IPsec). The BoF "DNS encryption" in London seems a good start
"simply IPsec"? bootstrapping DNS from IPsec which relies on DNS is not
trivial (and the versign proposal seems to only deal with nameservers
with access to their reverse dns, which excludes the DNS servers that
really need the protection, those supplied by DHCP in coffeeshops,
and completely lacks understanding of IPsec realities such as NAT-T)
<http://trac.tools.ietf.org/bof/trac/wiki/WikiStart> and
<https://datatracker.ietf.org/wg/dnse/charter/>.
i recommend it be adopted by the working group,
DNSOP? Some people say it is outside the charter since it is a
modification of the protocol. I myself are not favorable to an
ultra-strict interpretation of the charter so I'll hummmmmm with you.
At ietf87 it was planned to have a discussion at dnsop about this
continued problem of drafts that fall between operations and extensions
and the fact that dnsext closed down. Nothing happened at ietf87 or
ietf88. I hope to see this as agenda item for dnsop this meeting.
We need a WG to discuss DNS innovation.
Paul
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
