On 13 Jul 2026, at 16:26, Petr Špaček <[email protected]> wrote:

>> Clients that require integrity protection of these signals should use an 
>> authenticated and encrypted transport between client and resolver, such as 
>> DNS over TLS [RFC7858] or DNS over HTTPS [RFC8484]. See Section 6 of 
>> [RFC8914] for more discussion.
> 
> Could we drop the encryption part? TSIG or SIG(0) is a fine integrity 
> protection, too. No need to encrypt when it's not needed.

Thanks, we will make the text more general and avoid the suggestion that 
encrypted transports are the only way.


Joe
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to