On Jun 10, 2021, at 11:35 AM, Paul Wouters <[email protected]> wrote: >> We propose that this be the actual, >> long-term solution. > > I understand the desire but I don’t agree as this signal is insecure, and > foresee TLDs abusing this as potential nation state monitor / privacy leak.
Please say more. I don't see how this proposal leaks anything that could not be trivially determined by probing. > It is also dangerous when used via resolvers. Please say more. To me, it is only useful for resolvers. > I still prefer something with DS than can be signed, and validated by the > child as their intend via CDS. With transparency monitoring. > > If we are using overloading, might as well overload securely. If you write up a draft, I'm happy to send responses to particular statements in the draft. I don't see how such a DS could be specified in a way that would get more than a trivial amount of deployment. I would be happy to be wrong, given that DS is signed in the parent. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
