On 12 Feb 2021, at 15:37, Paul Wouters <[email protected]> wrote: > On Fri, 12 Feb 2021, Joe Abley wrote: > >> I have discovered that without liberal access to bars and hallways at >> in-person IETF meetings, I no longer know how to tell the difference >> between ambition and insanity when it comes to technical proposals. I am >> quite prepared to find out that in this case the needle is at the crazy >> end of the scale. > > So I think execsum is, REFER is like NS for client, but signed like DS. > > What does that buy us.
The draft has a section that describes a couple of other possible advantages, chiefly in avoiding the overloading of a single RRtype which consequently requires special handling downstream of the authority server; the kinds of problems that draft-ietf-dnsop-ns-revalidation hoped to solve, for example. [...] > Seeing how things would likely misimplement REFER, or run into issues > because it gets semi supported through generic records and just flies > along the wrong side of the zone cut, I'd say the dangers of this do > not outweigh the gains. Just so I understand your reaction, do you mean the dangers *do* outweigh the gains? > If we do something drastic like this, at least provide not only the > validatable child NS records, also provide whatever is needed to setup a > fully encrypted connetion to the child's nameserver's so we can get > a fully private query chain with no leaks. I will have to think more about the extent that I think these different solutions overlap. Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
