Dear all, This proposal has multiple shortcomings compared to DNSCurve. First off, it says that the rationale for TLS over DNSCurve is simply to "take advantage of TLS". I would respectfully submit that DJB can do a better job than the TLS committee, and did. Merely adding bolts and nuts onto a design is not improving it.
Secondly, this proposal only works on TCP. This imposes latency and state requirements that most people would rather avoid. The use of keepalive only addresses computational burden, not state burden, and with the DH speed records we have today unnecessary. Thirdly, this proposal ignores entirely how to validate the server over the TLS connection. Does it need a certificate? Who should be allowed to sign it? How should it be validated? DNSSEC provides a PKI, and this proposal provides another one. Their interactions will not be fun. Fourthly, there is substantial operational knowledge and deployed, working, code implementing DNSCurve. This does not hold for this proposal. Sincerely, Watson Ladd _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
