Feasibility of requiring the protocol to prove that the encrypted and unencrypted resolvers are operated by the same entity #9

chris-box · 2020-09-03T16:54:52Z

How does the client learn the encrypted and unencrypted DNS servers are operated by the same administrative domain ?
The client can authenticate the encrypted DNS servers but cannot authenticate the unencrypted DNS server !

Originally posted by @tireddy2 in #2 (comment)

chris-box · 2020-09-03T16:56:54Z

If it is genuinely impossible to prove association between two resolvers when one resolver is unencrypted, then perhaps we should not have the concept at all. But I'm hoping it is not impossible.

chris-box · 2020-11-06T18:33:42Z

draft-pauly-add-deer-00 does this (at least in some circumstances), so it's not impossible.

chris-box added the design label Sep 3, 2020

chris-box mentioned this issue Sep 4, 2020

Proposal for how text from draft-pauly-add-requirements is merged into this one #2

Merged

chris-box closed this Nov 6, 2020

ietf-wg-add / draft-ietf-add-requirements Public

Feasibility of requiring the protocol to prove that the encrypted and unencrypted resolvers are operated by the same entity #9

Feasibility of requiring the protocol to prove that the encrypted and unencrypted resolvers are operated by the same entity #9

chris-box commented Sep 3, 2020

chris-box commented Sep 3, 2020

chris-box commented Nov 6, 2020

ietf-wg-add / draft-ietf-add-requirements Public

Feasibility of requiring the protocol to prove that the encrypted and unencrypted resolvers are operated by the same entity #9

Feasibility of requiring the protocol to prove that the encrypted and unencrypted resolvers are operated by the same entity #9

Comments

chris-box commented Sep 3, 2020

chris-box commented Sep 3, 2020

chris-box commented Nov 6, 2020