On Mar 22, 2023, at 12:39 PM, Wessels, Duane <dwessels=40verisign....@dmarc.ietf.org> wrote: > My primary concern with this draft is that, as written, it could > be interpreted as a requirement for DNS providers that operate > under contracts that use language such as "shall comply with relevant > existing RFCs".
There are plenty of other DNS-related RFCs that I doubt you comply with because no one cares about them. However, that kind of language is unfortunately not rare. > I'm not sure that was the authors' intention. Our intention, is stated in the first sentence of the Introduction: This document aims to provide guidance to implementers who want to simply enable protection against passive network observers. The "who want" is the key here. There is absolutely no expectation that everyone will implement it. This is no different than, say, QNAME minimization. > For example, section 3 says: > > An authoritative server implementing the protocol described in this > document MUST implement at least one of DoT or DoQ on port 853. > > I can think of a couple ways this guidance could be improved: > > 1. The document could be split into two separate documents for clients > and servers, and the server document could be given Experimental status. > > 2. Clarify that this protocol is optional for servers to deploy. For example: > > The protocol described in this document is OPTIONAL for authoritative > servers. An authoritative server choosing to implement the > protocol described in this document MUST implement at least one > of DoT or DoQ on port 853. Thanks, that sounds good, and we will make that change, and as similar one for resolvers: it is OPTIONAL for them as well. > Also as a point of semantics, when this document uses "implement" > I think maybe it really means "deploy"? I've always thought that > implementation is what developers do and deployment is what operators > do. That is the approach taken with RFCs 7766 (DNS Transport over > TCP - Implementation Requirements) and 9210 (DNS Transport over TCP > - Operational Requirements). The document is talking about both. The mechanics have to be in the implementation, but they have to be turned on in configuration by the operator deploying the implementation. --Paul Hoffman _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
