On Fri, 10 Jun 2016, Stephane Bortzmeyer wrote:
Kim-Minh Kaplan reminded me I forgot the most obvious one: using the X.509 security model. Certs for authoritative name servers, signed by regular CAs, with the IP address of the server in the Subject Alternative Name.
It seems foolish to me to merge the X509 and DNSSEC PKI's into one. Publishing a TLSA record pinning just the public key seems more in line for authoritative servers, for which you will always have a name, eg: _53._tcp.ns0.nohats.ca. IN TLSA 3 0 1 323e3584ba6f986cf09f27cf260cac42f5e5bd5e81df705fd33ac59717110389 For recursive's that is a little harder because the reverse tree is not so useful. While validating dns.google.com is easy, there can easilly be a evil.com certificate that also references 8.8.8.8. Paul _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
