Moin!
On 25 Oct 2020, at 21:21, Paul Hoffman wrote:
See
<https://emilymstark.com/2020/10/24/strict-transport-security-vs-https-resource-records-the-showdown.html>.
Emily is a well-known developer on the security side of Chrome browser
development.
Upgrading the user to https is only one use case for the HTTPS resource
record. In fact it is not the required behaviour as all of my HTTPS RR
testing so far has been with http as I didn’t want to get certificates
for the 10+ domains with different behaviour I created. Works fine with
the current clients (iOS 14/MacOS 11). It also solves the CNAME at the
APEX problem and allows more options for transport before the initial
setup of the connection.
I also think that any list hardcoded in browser/OS deployments is a bad
idea for a long term solution (that include auto upgrades of DoH servers
;-) and it looks like STS has already shown that. DNS being an
distributed mechanism is far better suited as it does not require an
update of the end device.
Just my .02 cents as a DNS guy ;-).
So long
-Ralf
——-
Ralf Weber
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
