On Wed, Sep 12, 2018 at 12:02:56PM +0100, Tony Finch wrote: > > The reason for wanting to include the NS targets' TLSA records in the glue > is so that the resolver can immediately connect over DoT with > authentication, without having to spend time chasing down TLSA records > from below the zone cut. It would be a performance optimization.
Maybe I am missing something, but would you not need the DNSSEC records proving the TLSA records are correct too? And if someone is using many nameservers and questionable signature algorithms (*cough* RSA *cough*), the size of the glue could grow rather large, blowing the MTU. -Ilari _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
