On Mon, 4 Nov 2019, Brian Dickson wrote:
The names of the servers (and certificate management) would be orthogonal to the signaling of DoT support. I would expect the TLSA records would be per-server and orthogonal to the per-zone signaling of DoT support.
Again, that would be russian roulette. If I get an NS RRset with 3 nameservers, and only one of these has a TLSA record, what should I do ? 1) Pick the TLSA one 2) Pick a random one For 1) if this protocol is widely deployed, all clients will pick 1) so you just shot your redundancy in the foot. For 2) the clients get reduced privacy for no good reason, so why would a client do this? It is really a per-zone property, not a per-nameserver property. Paul _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
