On Monday, 15 July 2019 01:41:10 UTC Rob Sayre wrote: > Thank you for the elegant response. BCP 61 describes this issue well, too. > > https://tools.ietf.org/html/bcp61 > > DNS seems like it still operates in the clear, and that doesn't seem good.
first we signed transactions with asymmetric keys -- SIG(0). then we signed them with symmetric keys -- TSIG. then we signed data with assymetric keys -- DNSSEC. then we encrypted transactions with assymetric keys -- DoT. the the web community caught wind of it and threw a molatov cocktail into our movie theater -- DoH. changing DNS isn't quick or easy or cheap -- it's the trifecta of "fast, good, or cheap, choose two" and you have to say "i choose none of the above." and DNS is nowhere near as simple as the web community wants to believe. we could use a lot more help pushing DNSSEC and DoT, for end to end authenticity and hop by hop secrecy+authenticity. we've done the parts of these that weren't quick and the parts that weren't easy and the parts that weren't cheap as well as the parts that weren't and can't be good. what we need now is a unified deployment effort on these technologies. help? -- Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
