pusateri> Come to think of it, DNSSEC validation in the stub resolver or pusateri> browser is really a place DoH could shine. Instead of all the pusateri> round trips required for validating up (down) the chain, the pusateri> webserver could package up all those validated records and pusateri> push them so the client/stub could do the validation quickly pusateri> for all of the links in a page in an order that the user is pusateri> most likely to need based on previous statistics and scrolling pusateri> position.
Agreed. My discomfort with some current proposals where I get DNS answers to questions I didn't ask yet would be a lot less if I had full validation info to DNSSEC validate them. Even getting SRV and other service entry points would be less if they're in the domain I'm already playing in and the DNSSEC validate. Trick with this will be getting browser support. We're still debating why SRV is too many lookups vs CNAME at zone apex. Fingers crossed we make progress on both. For other apps, stubby seems like a fine way to get this in the app. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
