On Thu, 2020-05-28 at 12:08 -0400, Paul Wouters wrote: > On Thu, 28 May 2020, Petr Špaček wrote: > > With your proposal auth server operators need to _also_ operate DNS > > resolver and tie it together with the auth server. That's very significant > > change from how authoritative servers are operated today. > > That change is pretty minor compared to to including a whole TLS stack in > a DNS Auth server. Which btw, you could also do with a different program, > to minimize the traditional auth nameserver code. > > Compared to hacking all code at nameservers and registries for mangling > and unmangled DNSKEY records, I think that is a very reasonable trade > of.
The DNSKEY mangling in a resolver is 10-20 lines of code - I doubt tls-dnssec-chain can be done in less? There is no mangling at registries, they convert DNSKEY to DS like they do for any existing DNSKEY algorithm. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy