Re: [dns-privacy] NS names, was re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

On 6/9/2020 12:21 PM, Shumon Huque wrote: > On Tue, Jun 9, 2020 at 2:31 PM John Levine > wrote: > > In article > > > > you write: > >Well, the client could just use the zone

Re: [dns-privacy] re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

On Tue, 9 Jun 2020, Robin Geuze wrote: So lets start at the beginning, why do we want to encrypt the communication between then resolvers and the authoritatives in the first place. There are two main reasons for encrypting things. One is authentication. I disagree. Setting up a TLS

Re: [dns-privacy] NS names, was re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

On Tue, Jun 9, 2020 at 2:31 PM John Levine wrote: > In article < > cahpuvduozvecj5jfd6nxyj-crhtjts1n8vcc5pc3uwqeclo...@mail.gmail.com> you > write: > >Well, the client could just use the zone name as the SNI, no? You can > assign > >certificates with the same name but different keys to each of

Re: [dns-privacy] re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

On Tue, Jun 9, 2020 at 1:26 PM Peter van Dijk wrote: > Hi Shumon, > > On Tue, 2020-06-09 at 12:37 -0400, Shumon Huque wrote: > > I think TLSA in the child zone could be made to work though, so I think > it's > still worth thinking about some more. Here's my suggestion: > > Place the TLSA record

Re: [dns-privacy] re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

Hi Shumon, On Tue, 2020-06-09 at 12:37 -0400, Shumon Huque wrote: > I think TLSA in the child zone could be made to work though, so I think it's > still worth thinking about some more. Here's my suggestion: > > Place the TLSA record at the zone name, i.e. at the apex of the child zone, >

Re: [dns-privacy] re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

On Tue, Jun 9, 2020 at 11:49 AM Robin Geuze wrote: [...] > So we are back to ideally signaling something via the parent. The only > way to do this securely and without registries having to make large > changes would be to use the DS record. The simplest way to accomplish > this would be to just

Re: [dns-privacy] re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

Hello Paul, I wanted to take a step back and explain the reasoning behind this implementation and why we didn't pick a different implementation. So lets start at the beginning, why do we want to encrypt the communication between then resolvers and the authoritatives in the first place.