Hiya, On 30/10/17 15:42, Paul Hoffman wrote: > Having this document say, in essence, "you don't get opportunistic > encryption unless you add a DNSSEC validation stack" feels like a > regression to the original goals of this WG.
I'm not sure that having a stack is such a barrier in reality. Requiring that some DNSSEC signatures validate in order to win the opportunistic game is the problem I think. I'd personally be fine with a "MUST try DNSSEC" statement, though that could be argued to be OTT, given the probability of success, but as DKG and you (and I) agree, it's the failure mode that needs fixing in the draft. S.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
