I've read draft-muks-dnsop-dns-message-checksums-01. I think it's quite well written.
I have a couple of comments about the draft: 1. I wonder whether this should be merged to draft-ietf-dnsop-cookies, as both try to solve the same/similar problems with quite similar approaches (note: I believe I understand the difference, and I'm not saying dnsop-cookies will make dns-message-checksums unnecessary). 2. Regarding the possibility of downgrade attack, you might want to a perhaps obvious (and weak) counter measure: cache the availability of the feature per peer and use it as a hint for further queries. -- JINMEI, Tatuya _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop