On Sun, 2020-05-24 at 17:36 -0400, Paul Wouters wrote:
> On Sun, 24 May 2020, Peter van Dijk wrote:
> > The draft says 'The pseudo DNSKEY record MUST NOT be present in the
> > zone.' What can we add to the text to make it clear that no query is
> > sent to the zone's name servers -until- their TLS
On Sun, 24 May 2020, Peter van Dijk wrote:
On Sun, 2020-05-24 at 13:43 -0400, Paul Wouters wrote:
But I also don't see the gains of abusing DNSKEY, because you already
need to query the DNSKEY of the domain to get the pesudeo-DNSKEY key,
and then you already lost your privacy.
The draft says
On Sun, 2020-05-24 at 13:43 -0400, Paul Wouters wrote:
> But I also don't see the gains of abusing DNSKEY, because you already
> need to query the DNSKEY of the domain to get the pesudeo-DNSKEY key,
> and then you already lost your privacy.
The draft says 'The pseudo DNSKEY record MUST NOT be
On 5/24/2020 10:43 AM, Paul Wouters wrote:
> Let's assume we can connect to the .ca nameservers securely and
> privately. We query for nohats.ca. If there is no DS, all bets
> are off as the child cannot signal anything to us securely. If
> there is a DS, we also got NS records, and possibly
On Sat, 23 May 2020, Peter van Dijk wrote:
As I remarked in my reply to Jeremy, I spent quite some time thinking
about how to do the signalling with actual TLSA records, but I
never ended up with a satisfactory solution.
But I don't think your current solution is satisfactory either. It is