Op 12-09-18 om 17:22 schreef Tony Finch: > Paul Wouters <[email protected]> wrote: >> >> Then use RFC 7901 DNS chain queries (or the hopefully soon >> tls-dnssec-chain TLS extension) > > RFC 7901 doesn't work when asking authoritative servers because they > don't have a copy of the chain. > > tls-dnssec-chain will not help iterative resolvers because they will > already have obtained the chain in the process of locating the server > they want to authenticate.
Not necessarily for out-of-bailiwick (or deep in-bailiwick) NS records with glue. If the tls-dnssec-chain would be obligatory for authoritative DoT servers, then any kind of signaling that DoT is available would be sufficient. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
