No. i might did not explain it clearly. Regarding connecting requirement, my proposal is no different from existing DNS except the recursive server needs to talk to authoritative server via HTTPS(or TLS) using the TLSA record. The TLSA record contains child zone's(or the server hosting that child zone, those details can be discussed in the future) public key and is published in the parent zone. I mean, for the authoritive servers, the trust chain can be built using TLSA other then DS. then a recursive server can ensure the data it receives in each step of resolving comes from an authenticated server and is encrypted.
zuop...@cnnic.cn From: Paul Wouters Date: 2019-02-14 15:34 To: zuop...@cnnic.cn CC: Stephane Bortzmeyer; dnsop Subject: Re: Re: [DNSOP] extension of DoH to authoritative servers On Thu, 14 Feb 2019, zuop...@cnnic.cn wrote: > This idea is just a sketch model and provides another option for DNS security > and privacy. Transiting trust is hard but may be accomplished in the future. T > he deployment of DNSSEC also takes a long time and is still in progress. No. It simply will break applications. For example, the libreswan IKE daemon using DNSSEC will use the system's forwarder and perform full DNSSEC validation, without having any idea of the chain of forwarders. It does not need to, because it is using proper DNSSEC validation. Your proposal of using transport security implies your node can always talk to any worldwide DNS server. That is not the case in most networks. Paul
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
