On 15/02/2021 23:05, Eric Rescorla wrote:
Sure, I can believe that. I'm not any kind of DNS expert, but it's hard to believe we can't invent*some* signal that you use to ask whoever served you the NS records.
Yep. I think someone had a presentation a while back about how all the approaches considered so far were dead ends or impractical and why. So it may be that a new RRTYPE is needed, in which case, I gotta ask why that has a better chance than DNSSEC+DANE, as those seem similarly challenging to me. Of course, if there were something that strongly motivated DNS actors (registrars, TLDs, server operators) that'd be different but I don't think I've heard of anything that's attractive like that and that meets this requirement. (So there's no equivalent of the HTTPS RRTYPE here that's been suggested so far and that appeals to almost all actors.) Cheers, S.
OpenPGP_0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
