> Assuming that in the context of DoH reply size is not an issue, is seems to > me that this use case is already solved by DNSSEC. Just push all required > signatures, key material and DS records that allow the receiving side to > validate the additional information. > > that validates its a valid dns record. And maybe that's the whole answer - at which point we still need to write that down along with the scope of where its valid.
otoh - maybe its not the same valid dns record another resolver might want you to use. perhaps you have a stronger trust relationship with that other resolver. hmm. otoh - maybe an unsigned record is ok in an https context where DNS isn't the https security model. this is the kind of stuff that I expect is in scope for discussion. > Are you trying to re-invent DNSSEC for people who don't want to deploy > DNSSEC no.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
