Hi Paul, On Tue, 2020-08-11 at 21:43 -0400, Paul Wouters wrote: > I am against adoption for two reasons. The draft as it currently is, > requires that domain name owners and nameserver hosting administrators > synchronise their nameserver TLS keys. This is impossible to do at > scale.
For various reasons, also unrelated to this draft, I hope that syncing problem gets solved some day! > Second, this method introduces a possible national MITM by the TLD being > able to put in TLD wide DS records that might be published against the > wishes of the childen within the TLD. A protection mechanism via the child > confirming the parent record with a CDS record would address this concern. I saw no appetite for that from other WG participants, which is why this has not made it to the text, but I'm still not opposed to it. > I truly wish the idea would work. And I still believe a DNSKEY bit on > the DNSKEY to signal encrypted DNS availability would be worth pursuing. As I said before, if this is the contribution that makes some other draft work, I'll also be happy :) Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
