Daniel Gilmor: ALPN handshake is cleartext so appears as zone transfer over aDOT query. Risks of distinguisability? Sara: Would have to look at padding and timing to disguise it. Determine which nameservers host zones. DKG: Detect Zone Transfer in order to prevent it.
Peter van Dijk: limit ALPN to SOA and XFR, PowerDNS does NSQuery. Sara: did not want to force servers to answer over an encrypted connection if not supported.
Jim Reid: consider TLS session resumption work Sara: Little Premature
Jon Reid: Favor of ALPN
EKR: What happens right now when I ask for a zone xfr over tcp. Why ALPN Sara: What we didn't want the requirement that if auth was supporting xot, it had to be ready to answer query over that connection. EKR: They can refuse to answer those queries Sara: We think its clearer. Also, IP Based ACL/TSIG, Determine when to control zone transfer access EKR: Not what ALPN intended for. Sara: Weaknesses in both approaches
DKG: If you done xfr over this connection, this is how it is done.
Petr Spacek: if Draft says handle these queries, and the rest you send back refused. Sara: Not all operatoers agree to open TLS queries
Erik Nygren: use SNI for this? Sara: would we allow any queries for those SNI Sara: Not using ALPN is a tuning problem
Signalling Authoritative DoT support in DS records, with key pinning
Opportunistic Encryption Use Case