Follow up, I think I missed a part that look a bit incorrect. <snip> a key agreement value encryption (the session key).... </snip>
Moreover, the use of CA means that all recursive resolvers need to either pay to a public CA to sign their values so that all clients' stub resolver can verify the server or there is a need to manual exchange of this key. I am not sure how much practical is to have a public CA for each single recursive resolvers and what is the cost of this model and if it is manual key exchange then again back to old problem and old story which is trusted anchors Best, Hosnieh _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
