On Wed, 16 Dec 2015, Paul Vixie wrote:
as the author of the first prototype, let me say that the client side proxy's only knowledge of its server side proxy is its IP address, whereas SSL needs a host name. i'd be happy to have all that specified by people who understand it, alone with client-side certs and server-side SSL ACL's. but i'll still likely use raw HTTP in some situations, so that should also be specified, even if explicitly discommended by the final published document.
So raw DNS on a port other than 53 is not something that would need a big new RFC. And we have dprive doing DNS over TLS. If TLS is just to break through broken or blocked port 53, we don't need an HTTP(S) RESTful interface. Raw DNS in TLS would work fine. Same for raw DNS on port non-53. So what is the use case for the REST interface? And yes, I'm a little prejudiced in trying to not add port 80/443 as another encapsulation layer underneath the internet. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
