Daniel Gilmor: ALPN handshake is cleartext so appears as zone transfer over aDOT query. Risks of distinguisability?
Sara: Would have to look at padding and timing to disguise it. Determine which nameservers host zones.
DKG: Detect Zone Transfer in order to prevent it.
Peter van Dijk: limit ALPN to SOA and XFR, PowerDNS does NSQuery.
Sara: did not want to force servers to answer over an encrypted connection if not supported.
Jim Reid: consider TLS session resumption work
Sara: Little Premature
Jon Reid: Favor of ALPN
EKR: What happens right now when I ask for a zone xfr over tcp. Why ALPN
Sara: What we didn't want the requirement that if auth was supporting xot, it had to be ready to answer query over that connection.
EKR: They can refuse to answer those queries
Sara: We think its clearer. Also, IP Based ACL/TSIG, Determine when to control zone transfer access
EKR: Not what ALPN intended for.
Sara: Weaknesses in both approaches
DKG: If you done xfr over this connection, this is how it is done.
Petr Spacek: if Draft says handle these queries, and the rest you send back refused.
Sara: Not all operatoers agree to open TLS queries
Erik Nygren: use SNI for this?
Sara: would we allow any queries for those SNI
Sara: Not using ALPN is a tuning problem
Signalling Authoritative DoT support in DS records, with key pinning
Opportunistic Encryption Use Case