On 05/06/2021 13.11, A. Schulze wrote:
Is "being client centric" a candidate for a "dns-flag-day-2022"? Consider .com like to intercept gmail.com. Changing the delegation in .com would be enough. Really?
The parent has full control of its subtree anyway. They can even roll the DNSSEC key of the child to anything. Getting a TLS cert for "big names" will be hard without causing alarm, though (e.g. cert. transparency)... and you'd surely need that to intercept e-mail towards an end-client.
Recent discussion threads I see as related were around these two proposals: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-ns-revalidation-00.txt https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-delegation-only --Vladimir _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
