On Jun 10, 2021, at 03:12, Peter van Dijk <[email protected]> wrote: > > > We don't feel that this is an "interim" solution because we don't think > parent-side SVCB is likely to ever come, or be very useful if it both > unsigned and rarely available.
Thanks for saying this. Although this is very obvious to those in the DNS/ICANN space, it seems the authors of SVCB still haven’t acknowledged this. It is important as it is pretty fundamental to the solution space. > We propose that this be the actual, > long-term solution. I understand the desire but I don’t agree as this signal is insecure, and foresee TLDs abusing this as potential nation state monitor / privacy leak. It is also dangerous when used via resolvers. I still prefer something with DS than can be signed, and validated by the child as their intend via CDS. With transparency monitoring. If we are using overloading, might as well overload securely. Paul _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
