On Mon, Feb 15, 2021 at 3:04 PM Stephen Farrell <[email protected]> wrote:
> > > On 15/02/2021 22:58, Eric Rescorla wrote: > > I don't recall. My sense was that people didn't like it being WebPKI > rather > > than DNSSEC, but maybe there's some more fatal reason? If so, I'd > certainly > > appreciate a link to that shooting down. > > Forget, sorry. Can look tomorrow or maybe someone'll beat > me to it - best I recall is maybe that renaming loadsa NSes > is a non-starter, and getting that into the parent zone is > a double non-starter. Even if you somehow did it alongside > the current NS names for a while, load-balancing may break > whenever a non-supporting recursive randomly lands on the > <sentinel>.example.org instance. > > Something like that anyway IIRC. > Sure, I can believe that. I'm not any kind of DNS expert, but it's hard to believe we can't invent *some* signal that you use to ask whoever served you the NS records. -Ekr > S >
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
