> On Nov 3, 2019, at 07:27, Warren Kumari <[email protected]> wrote:
>
>> Can you expand on this? Is the convention that if I see x-dot.example.com,
>> then I should expect DoT?
>
> Yup, that’s it exactly.
>
> As a DNS person, encoding semantics into the name makes me twitch
It should do more than cause a twitch.
The right way to do this is a DNSKEY flag, which is protected by the signed DS
at the parent. Similar to draft-powerbind for the delegation-only domain.
Telling people to make security decisions based on unsigned DNS glue is not a
good idea.
If you use DNS to signal security information, you have to accept requiring
DNSSEC.
Paul
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
