Personally I would use a new opcode and fall back to query on NOTIMP. The payload of the new OPCODE does not have to be decodable by existing servers. This is also how EDNS should have been done.
Since it is next to impossible to hide that you are talking to a server use unencrypted DNS w/ DNSSEC to get a public key for authoritative servers stored in its own type. This signals support for the new OPCODE. Use that key to encrypt the payload the payload to the server using the new OPCODE. With a session key returned for followup transactions. For recursive server add a DHCP and RA options which distribute the public keys of the recursive nameservers. This should work through pure DNS proxies. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
