Brian Dickson wrote:
>
> I think a better comparison (better meaning more relevance and closer
> tracking of the transition and operation) would be the transition of SMTP
> to SMTP using TLS without downgrade susceptibility.
Yes. That was made a lot more difficult because it went through an
intermediate step of unauthenticated TLS, so the protocols and
implementations had to be designed to deal with the fact that a very large
proportion of existing server certificates were wrong. I would prefer not
to have to deal with that again.
> First, a simple assertion: DoTA is only possible/available if it is
> configured by the authoritative DNS operator. Thus, the control of the
> state of whether DoTA is available for zones operated by that operator,
> resides entirely with the operator. This also means that, depending on
> how DoTA availability is signalled or detected, the methods of
> correcting faults in the DoTA operation can vary. Thus, selecting
> signalling/detection mechanisms should take the corrective actions
> available into consideration. IMHO this should actually dominate the
> design.
Yes.
> Third, I'll restate it here: The important characteristic is that whatever
> method(s) are used, they need to be completely downgrade resistant to all
> attack mechanisms, and they need to fail safe.
With the caveat that incremental deployment needs to be possible: If a
zone is hosted by multiple authoritative providers, it should be possible
for one of those providers to deploy DoT without the co-operation of the
zone owner or other providers, and without compromising the availability
of the zone.
That implies a zone only gets a guaranteed private transport if all of its
authoritative providers guarantee a private transport.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Sole: East 4 to 6, occasionally 7 at first. Rough. Showers later. Good.
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy