On Sat, 2020-10-31 at 13:52 -0700, Brian Dickson wrote: > The most unambiguous signal possible, is the presence of a TLSA record on > _853._tcp.<NS_name>.
That's quite a far reaching statement, and I believe it likely to be wrong. > Using NS names in a separate zone or zones (for each DNS operator) is > scalable, and facilitates DNSSEC signing, at little to no incremental cost > and little to no operational complexity The incremental cost for a resolver (doing a full resolution process for the TLSA records of one or more NS names) is not small, and neither are the latency costs. For 'popular' name servers, this cost can mostly be amortised, leaving the penalty with any domain hosted on a NSset that only has a few domains. > Using TLSA records at _853._tcp.<NS_NAME> in a signed zone provides an > unambiguous signal to use optionally TLSA, in a downgrade-resistant manner. Not downgrade-resistant, until NS names in delegations become signed. (I proposed some solutions for that in other threads; Fujiwara has [independently, I think] now written a draft resembling one of those solutions https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-delegation-information-signer/?include_text=1 ) Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy