In article you write:
>I am not objecting other then having 0 desire to help out unsigned zones
>replace origin
>security with transport security.
The way that ZONEMD is defined in the draft, it's not very useful if
the ZONEMD record isn't signed. Otherwise the malicious party can
just
I am not objecting other then having 0 desire to help out unsigned zones
replace origin security with transport security.
Look at the suggested use of eSNI in unsigned DNS assuming some kind of DOH /
DOT transport.
This record type could easily be abused for that.
Which is why my preference
