On Sun, 2020-11-15 at 12:40 -0800, Brian Dickson wrote: > > > > Using TLSA records at _853._tcp.<NS_NAME> in a signed zone provides an > > > unambiguous signal to use optionally TLSA, in a downgrade-resistant > > > manner. > > > > Not downgrade-resistant, until NS names in delegations become signed. > > That's a moot point. > TLSA records MUST be signed, and the TLSA RFC makes this very clear: RFC 6698 > section 4.1 (Determining whether a TLSA RRSet can be used MUST be based on the > DNSSEC validation state (as defined in [RFC4033]).
Which buys you very little if the name you are looking up is from an unauthenticated source - like NS names in delegations. > So, downgrade-resistant, period. No. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy