"Reed, Jon" <[email protected]> writes:
> On the call, someone (Wes?) proposed an alternative such as records in
> the reverse zones.
Yes, I think this solves a number of issues and creates new ones. IE,
the list of pros and cons for all solutions includes no item with zero
"cons" unfortunately.
My list for putting a TLSA or similar record at the reverse zone
include:
pros:
- the authoritative server more likely in control of its reverse zone than all
the forward zones its serving
- the number of reverse zone records to update on a key change is 1 per ip
address. The number of name server NS records to update per key
change is 1 per zone supported, which is very very large for some
servers [1].
- it feels cleaner
cons:
- not everyone controls their reverse zone easily, especially for those
that don't hold at least a /24 allocation. Ironically, I fall into
this camp but still think this is a better solution than a name-based one.
- requires more lookups
- requires the reverse tree for that address be fully signed
And probably more pros and cons I'm not thinking of at the moment.
[1]: the latest huge DANE support jump at
https://stats.dnssec-tools.org/ is due to a large number of zones
suddenly enabling DANE/SMTP on one.com. That shows the scale of
some of the larger zone holders.
--
Wes Hardaker
My Pictures: http://capturedonearth.com/
My Thoughts: http://blog.capturedonearth.com/
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
