Paul Wouters <[email protected]> wrote: > On Wed, 12 Sep 2018, Tony Finch wrote: > > > > RFC 7901 doesn't work when asking authoritative servers because they > > don't have a copy of the chain. > > You can set the start of the chain to the zone, so as long as any > chaining would remain within the zone or delegations on the same > server it could work. But perhaps that's stretching things too far.
The scenario is that we are querying a parent zone's server, and we want to get the authenticated TLSA records for the target servers in the delegation NS records, so we can immediately talk securely to the child zone's servers. For chain queries to help, the parent zone auth servers would have to be willing to serve DNSKEY and TLSA records for all their child zones. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ sovereignty rests with the people and authority in a democracy derives from the people _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
