On Mon, 15 Feb 2021, Paul Wouters wrote:
Here is a different sentinel:
_53._dns.ns0.example.com. IN TLSA x y z <base64ofCert>
Then do (D)TLS
Now you can choose:
1) Use DNS(SEC) for validation
2) Use WebPKI[*] for validation
3) TOFU
4) Take at face value
as PaulH pointed out, the TLSA RFC does not allow one to accept a TLSA
RRset without DNSSEC signature protection. To allow for deployment
without DNSSEC, you could instead use the CERT RRtype that has no such
requirement.
Paul W
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
