Paul Wouters <[email protected]> wrote: > > Then use RFC 7901 DNS chain queries (or the hopefully soon > tls-dnssec-chain TLS extension)
RFC 7901 doesn't work when asking authoritative servers because they don't have a copy of the chain. tls-dnssec-chain will not help iterative resolvers because they will already have obtained the chain in the process of locating the server they want to authenticate. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Rockall, Malin, Hebrides, Bailey, Fair Isle: West or southwest, becoming cyclonic in Bailey, 5 to 7, increasing gale 8 at times. Rough or very rough, occasionally moderate. Squally showers, thundery at times except in Rockall and Malin. Good, occasionally poor except in Rockall and Malin. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
