On Thu, Oct 31, 2019 at 7:38 PM Eric Rescorla <[email protected]> wrote: > > > On Thu, Oct 31, 2019 at 2:41 PM Brian Dickson < > [email protected]> wrote: > >> IMNSHO, ADoT at the leaf + QNAME minimization is all that is required for >> privacy. >> I.e. No need for ADoT anywhere other than at the leaf zone's name server >> (whose NS name might not be in-bailiwick, FYI). >> > > Hmm.... I think that's only true if you are assuming that the NS record > for the leaf is DNSSEC secured, but that doesn't seem like a safe > assumption. >
Let me re-emphasize this from the original statement: "FOR PRIVACY". DNSSEC security is orthogonal to privacy, and is not a requirement FOR PRIVACY. I.e. it is always true. Brian
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
