In article <cahbrmsdwdotqn8y5zk7rsvepjwwyateyaa6f0oj9desmafh...@mail.gmail.com> you write: >The ideas floated here about ADoT to the root are not, in my view, about >privacy (directly). They're about using ADoT to protect the integrity of >(currently) unsigned data in the root zone. > >An alternative solution is to get ADoT bootstrap info from the child zone, >where it could be signed, before making a query that reveals the next >label. This could work, but at the cost of an extra roundtrip. (How often >this latency penalty applies depends on the details of the construction.)
Thinking about it a little more, I think it is likely that there will be islands of ADoT sort of like there used to be islands of DNSSEC. For example, I expect the people on this list are likely to deploy ADoT long before some of the 2LD's above them. Moreover, all of the problems about getting your DS into the zone above would apply to getting your ADoT signal there. Even with the cost of an extra lookup it's probably going to work better to have each island describe itself so you don't need an unbroken chain of ADoT from the root. R's, John PS: Yes, this is the opposite of what I said yesterday. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
