On Wed, 12 Sep 2018, Tony Finch wrote:
Then use RFC 7901 DNS chain queries (or the hopefully soon
tls-dnssec-chain TLS extension)
RFC 7901 doesn't work when asking authoritative servers because they
don't have a copy of the chain.
You can set the start of the chain to the zone, so as long as any
chaining would remain within the zone or delegations on the same
server it could work. But perhaps that's stretching things too far.
Paul
_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy
