Re: [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing

[Ralf Weber <dns@fl1ger.de>]

Moin!

On 29 Mar 2023, at 17:57, Stephane Bortzmeyer wrote:

> On Tue, Mar 28, 2023 at 09:29:46PM +0900,
>  Ralf Weber <dns@fl1ger.de> wrote
>  a message of 30 lines which said:
>
>> As I don’t think probing for secure transport is a good idea and
>> hope that we will come up with better solutions that follows the DNS
>> delegation model.
>
> You mean the parent announcing the zone has ADoT servers? This seems a
> good way to have discrepancies between the announce and the reality.

Well that is how delegation works, sure there will be discrepancies as
we have today with NS records and glues, but that is an operational
error/problem we have to deal with.

>> While I think using IP addresses for authoritative server selection
>> is a natural choice there have been cases where an authoritative
>> server on the same IP answers differently deepening on the domain
>> asked, which will not work well with the detailed implementation of
>> that draft.
>
> The point is that this draft is an opportunity to state clearly what
> we expect from the authoritative name servers. Requesting that all
> instances at the same IP address have DoT does not seem unreasonable
> but, indeed, it is not written anywhere yet.

That is not what I meant. I mean that the same server on the same
IP can answer (or not answer) when asked for a different domain. It
(Unfortunately) is an observed pattern used by authorities when they
are under attack. I don’t know how this will be with DoT, but wanted
to mention that it could be needed to differentiate further.

So long
-Ralf
——-
Ralf Weber