Moin!
On 5 Apr 2019, at 10:50, Peter van Dijk wrote:
Adding records at child side of cut has its own issues, namely that
retroactive authentication can be annoying to implement, and it is
more difficult to make the thing work without full DNSSEC chain
(glue records, if parent supports that?).
manu’s proposal explicitly targeted unsigned delegations, which I
also think is an important use case.
No it isn’t. Can we please just use the technology we have to secure
data in the DNS instead of coming up with yet another solution for it.
If people don’t want to DNSSEC sign their own/primary domains they
should put the name server into different domains that can be signed and
thus authenticated.
Glue records are never signed.
Which isn’t a problem as one can easily validate the records in the
child.
So long
-Ralf
—--
Ralf Weber
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
