Re: [dns-privacy] Authoritative Server Operator Perspective

[Brian Haberman]

On 10/11/18 1:56 PM, Tony Finch wrote:
> Apart from the basic mechanics that we have already mentioned, I think the 
> interesting question here is how to manage scalability to lots of zones: if 
> we publish encryption/authentication information about nameservers in the DNS:
> 
> * is it published per server, associated with the server’s canonical name?
> 
> * what about in-bailiwick aliases?
> 
> * how important is it to avoid replicating this information in every zone 
> hosted on the server?
> 
> * does it help to use the reverse DNS instead?

This question brings up a topic that would require a fair amount of
interchange with DANE. What are the benefits/drawbacks of having DANE
records in the reverse tree for each server?

There are probably a myriad of issues to work through, but it looks like
that would alleviate a fair amount of complexity at the zone level.

Still need to think through the gory details...

Brian



signature.asc
Description: OpenPGP digital signature
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Authoritative Server Operator Perspective

[Tony Finch]

Apart from the basic mechanics that we have already mentioned, I think the 
interesting question here is how to manage scalability to lots of zones: if we 
publish encryption/authentication information about nameservers in the DNS:

* is it published per server, associated with the server’s canonical name?

* what about in-bailiwick aliases?

* how important is it to avoid replicating this information in every zone 
hosted on the server?

* does it help to use the reverse DNS instead?

Tony.
-- 
f.anthony.n.finchhttp://dotat.at


___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy