On 10/7/19 4:37 PM, Viruthagiri Thirumavalavan wrote:
If you can figure out a backward compatible way for authoritative DNS
servers to signal that they support DoT without a lot of
(e.g., a failed probe to port 853 on every query to a non-DoT
lot of people over in dnsop would like to hear about it.
How about adding a prefix or label just like our solution for the
authoritative DNS servers that support DoT?
ns1.example.com <http://ns1.example.com> => dot-ns1.example.com
<http://dot-ns1.example.com> OR _dot.ns1.example.com
I was thinking more in terms of a new DNS RR type:
example.com DOTNS ns1.example.com
And change DNS servers to return DOTNS records as additional information
in the same circumstances as they return NS records.
That way the DOTNS records get automatically discovered in exactly the
same way that NS records do.
Of course you want the DOTNS records to be signed with DNSSEC but this
is less of a problem for RRs in TLD and SLD zones than it is for DNS
zones in general.
ietf-smtp mailing list