On Tue, 2020-05-19 at 10:56 +0100, Jeremy Harris wrote: > On 19/05/2020 10:24, Peter van Dijk wrote: > > Name: draft-vandijk-dprive-ds-dot-signal-and-pin > > Revision: 00 > > It's almost-but-not-quite DANE, and a TLSA record. Why (not)?
I've thought about many ways to use actual TLSA records, and have read previous drafts and proposals in emails to this group. None of it seemed satisfactory to me. There are some terse and biased notes in https://github.com/PowerDNS/parent-signals-dot/blob/master/README.md - happy to elaborate on anything I wrote in there. (There's a side-issue with TLSA, depending on how you use it: in many TLSA 'modes', you are expected to confidently know the name of the thing you are connecting to. NS records in delegations are not signed, so if you misdesign something based on TLSA, you could end up connecting to ns.attacker.example with its entirely valid key/certificate.) Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy