On Thu, Feb 6, 2020 at 5:14 PM Benjamin Kaduk <[email protected]> wrote: > > TLS also punts the key-management story to be out of scope. > We have a lot of worked examples of the Web PKI failing (and also have lots > of people working really hard to get it to improve, which I greatly > appreciate), but given that the recursive has no way of knowing what the > DNS client is planning to do (and that some ~20% of web traffic does not > use TLS), it's hard for me to argue that this document is making the wrong > recommendation about DNSSEC validation. >
Maybe it would be more diplomatic for the document to state that additional validation might help. DNSSEC is one existing mechanism, but other options like PSKs of various types (e.g. PAKE) exist. thanks, Rob
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
