Sara Dickinson <s...@sinodun.com> wrote: > > A new draft has been submitted outlining using DNS-over-TLS for zone > transfers.
I've had a brief skim. It's entirely driven by zone confidentiality, which is a fine thing, but from my point of view the interesting possibility is to get transport integrity (like TSIG) but with much simpler key management. Single-ended public key authentication of the primary with IP-based access control for secondaries should be an easy upgrade that do not currently use TSIG, and really nice for stealth secondaries. Double-ended public key auth will help reduce the need to break out gpg for key exchange with oldskool third-party secondarying arrangements. So I think this is interesting from the dnsop perspective as well as dprive. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ an equitable and peaceful international order _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy