Paul Wouters <p...@nohats.ca> wrote: > > The right way to do this is a DNSKEY flag, which is protected by the > signed DS at the parent. Similar to draft-powerbind for the > delegation-only domain.
That's per-zone, though, whereas DoT support is per-server. DS records that somehow encode NS target names in their rdata might work... Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ partnership and community in all areas of life _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy