On Tue, 2 Mar 2021, Peter van Dijk wrote:
It seemed the DS record idea stalled, because the authors didn't really
like the additional RTTs needed.
You have been repeating that we actively refuse to deal with the
additional RTTs. This is untrue and unfair to the point of rudeness. We
have repeatedly stated being open to this child verification
It was not my impression the authors were open to it. That is good to
know. Since from what I saw, the discussion stopped here, I thought
the two were related. I'm happy to hear it is not, but also sad to
hear there are other reasons for the document being given up. My
apologies for misinterpreted the situation.
if the WG had interest, but it did not - only you.
That is not really how security considerations work. I explained that
without it, you would create a TLD scale MITM. You can't ignore that
because you don't like an extra RTT.
DOTPIN stalled because people, quite rightfully, did not like the idea
of putting a pin for one NSset in the DS records for a million domains.
All other concerns (such as deciding the exact level of protocol abuse
DOTPIN is) are minor in comparison.
Fair enough. Unfortuantely, it seems we are now pushed to another pin,
that being LetsEncrypt Root CA :/ Which in itself depends on (insecure)
DNS. Seems the worst of both worlds.
Paul
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
