On 4/22/20 9:32 PM, Shumon Huque wrote: > Since delegation records and glue address records are unsigned, they > can be spoofed, and DNSSEC should really allow us to detect such > spoofing once a resolver sees referral data.
I wouldn't put much energy into improving this part in *this* draft. Even DNSSEC-validated NSs and IPs aren't sufficient to ensure privacy, so I'd rather kill this problem by proper encrypted protocol towards authoritatives (in current dprive charter). --Vladimir _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
