Your solution makes more sense.
On Tue, Oct 8, 2019 at 2:20 AM Keith Moore
On 10/7/19 4:37 PM, Viruthagiri Thirumavalavan wrote:
If you can figure out a backward compatible way for authoritative DNS
servers to signal that they support DoT without a lot of performance loss
(e.g., a failed probe to port 853 on every query to a non-DoT server), a
lot of people over in dnsop would like to hear about it.
How about adding a prefix or label just like our solution for the
authoritative DNS servers that support DoT?
ns1.example.com => dot-ns1.example.com OR _dot.ns1.example.com
I was thinking more in terms of a new DNS RR type:
example.com DOTNS ns1.example.com
And change DNS servers to return DOTNS records as additional information
in the same circumstances as they return NS records.
That way the DOTNS records get automatically discovered in exactly the
same way that NS records do.
Of course you want the DOTNS records to be signed with DNSSEC but this is
less of a problem for RRs in TLD and SLD zones than it is for DNS zones in
ietf-smtp mailing list