Manu Bretelle <chan...@gmail.com> wrote: > Having this as an ID or possibly a github repo may make it easier to refer > to/iterate than just this email.
Yes! https://github.com/fanf2/draft-dprive-adot > I had attempted to quickly categorize some of those approaches (albeit a > much smaller list) in a matrix in [0] but did not follow through since. > > [0] > https://datatracker.ietf.org/meeting/104/materials/slides-104-dprive-dot-for-insecure-delegations-01 Ah, I haven't been paying enough attention to meetings so I missed this! I think I need the speaker notes to understand it properly :-) Your title "DoT for insecure delegations" is interesting: one of the problems with what I have written so far is that it is too much a post-hoc justification for using TLSA records to support ADoT. So I have built nameserver authentication on top of TLSA on top of DNSSEC. One of my unstated assumptions is that DoT will be problematic for TLDs, and (with QNAME minimization) it matters more for leaf zones, so it is likely to be deployed there first. But DNSSEC is deployed to a much higher proportion of TLDs than leaf zones, so there's a good chance I'm wrong. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Shetland Isles: Southerly 6 to gale 8, decreasing 4 or 5 later in west. Rough or very rough. Rain or drizzle. Moderate or poor, becoming good later in west. _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy