On Thu, 14 Feb 2019, zuop...@cnnic.cn wrote:
This idea is just a sketch model and provides another option for DNS security and privacy. Transiting trust is hard but may be accomplished in the future. T he deployment of DNSSEC also takes a long time and is still in progress.
No. It simply will break applications. For example, the libreswan IKE daemon using DNSSEC will use the system's forwarder and perform full DNSSEC validation, without having any idea of the chain of forwarders. It does not need to, because it is using proper DNSSEC validation. Your proposal of using transport security implies your node can always talk to any worldwide DNS server. That is not the case in most networks. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
