Manu Bretelle <chan...@gmail.com> wrote: > The "cloud provider" case, e.g few name servers for many zones is also > tricky.
I prefer to think of this as the normal common case, since I'm not a cloud provider and I have many more zones than servers :-) > I think in those cases, TLSA may be the best bet as this is under > control of the nameserver, not the zone operator. Then there may be issue > with being able to opt people in/out. I think in any cases, if you want to > be able to gradually enroll your customers while giving the the choice to > not be enrolled, you essentially need to provide them with a new NS that > supports ADoT and have them move over. Yes. It can be just different aliases for the same server, where the aliases differ in whether they have associated TLSA records or not. (I need to write more about nameserver aliases.) > That hint could be downgraded, but if not, can be used to fetch the TLSA > record over an unauthenticated TLS connection and then validating it. I > suppose it just obfuscate the zone, which may be useful *if* multiple name > server names are behind the same IP and/or name server name matches the > zone name (because TLSA record would be against name server name, not zone). > Unless the query to the parent zone was using ADoT, that information may > already be known from someone on-path. Yes. (I think I covered all those points in my notes.) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Fair Isle: South 6 to gale 8. Rough or very rough, occasionally high in northwest. Rain or squally showers. Good, occasionally poor. _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy