HI ALL, RFC8484 《DNS Queries over HTTPS》defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Its primary secnario is between stub resolver and recursive resolver. I am considering extending the DoH protocal to authoritative servers. To build the trust chain, the child zone publishes a TLSA record instead of a DS record in the parent zone [RFC 6698 may need update]. The TLSA record contains the certificate that identifies the child zone. In this way, the whole DNS is built on HTTPS which makes DNS more secure. DNSSEC is not necessary anymore and many other problems like fragmentation also will not exist. The sketch diagram is as followed. Any comments are welcome!
[email protected]
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
