On Tue, Apr 14, 2015 at 10:33 AM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > DNS is an application that runs on a single port between two hosts. In that > environment, TLS is always a much more appropriate protection mechanism than > IPsec for the numerous reasons PaulW gave. > > We don't need to document this decision any more than we need to document > every application's choice to use TLS.
DNS is not an application protocol. It is a mapping protocol serving the presentation and session layers. That said, all the reasons I am not keen on using TLS apply to IPSEC which has a vast amount of mechanism for exchanging keys that doesn't really meet the needs of DNS confidentiality. The only bit that is useful is the packet format which is a few hours work. _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
