> > Well, if the OS resolver is validating, it will SERVFAIL with such a > > query. > > The protocol requires special handling of those specific queries, > so a resolver that understands the protocol will give the desired > answer. A resolver that doesn't understand the answer will give > NXDOMAIN even if it is validating because that RRtype is not in > the root zone.
It seems to go wrong when you have one validating resolver that forwards to a resolver that supports this mechanism. It don't really see the point of what you propose. For resolvers obtained by DHCP it makes more sense to include the URL in the DHCP reply than to have yet another DNSSEC-violating discovery hack. For manually configured resolvers, it is likely more convenient for the user to just enter the URL and let the system figure out the addresses of the resolvers. Figuring out what SNI to use using insecure DNS sort of negates any advantage TLS authentication offers. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
