On 10/11/18 1:56 PM, Tony Finch wrote:
> Apart from the basic mechanics that we have already mentioned, I think the
> interesting question here is how to manage scalability to lots of zones: if
> we publish encryption/authentication information about nameservers in the DNS:
>
> * is it published per server, associated with the server’s canonical name?
>
> * what about in-bailiwick aliases?
>
> * how important is it to avoid replicating this information in every zone
> hosted on the server?
>
> * does it help to use the reverse DNS instead?
This question brings up a topic that would require a fair amount of
interchange with DANE. What are the benefits/drawbacks of having DANE
records in the reverse tree for each server?
There are probably a myriad of issues to work through, but it looks like
that would alleviate a fair amount of complexity at the zone level.
Still need to think through the gory details...
Brian
signature.asc
Description: OpenPGP digital signature
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy