On Feb 12, 2021, at 17:28, Joe Abley <[email protected]> wrote: > > On 12 Feb 2021, at 15:37, Paul Wouters <[email protected]> wrote: > >>> On Fri, 12 Feb 2021, Joe Abley wrote: >>> >>> I have discovered that without liberal access to bars and hallways at >>> in-person IETF meetings, I no longer know how to tell the difference >>> between ambition and insanity when it comes to technical proposals. I am >>> quite prepared to find out that in this case the needle is at the crazy >>> end of the scale. >> >> So I think execsum is, REFER is like NS for client, but signed like DS. >> >> What does that buy us. > > The draft has a section that describes a couple of other possible advantages, > chiefly in avoiding the overloading of a single RRtype which consequently > requires special handling downstream of the authority server;
Well, that special handling is there now. So it’s not a big win. > Just so I understand your reaction, do you mean the dangers *do* outweigh the > gains? > No :) I think for the special processing this introduces, it doesn’t solve enough problems. >> If we do something drastic like this, at least provide not only the >> validatable child NS records, also provide whatever is needed to setup a >> fully encrypted connetion to the child's nameserver's so we can get >> a fully private query chain with no leaks. > > I will have to think more about the extent that I think these different > solutions overlap. And stated by others, signed glue is another issue. Otherwise, those can be used instead of malicious NS records to accomplish the same. Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
