On Mar 21, 2022, at 07:10, Masataka Ohta <mo...@necom830.hpcl.titech.ac.jp> wrote: > > > Constructive thing to do to make DNS secure is to totally abandon > DNSSEC and rely on DNS cookie or something like that.
DNS cookies provide no data origin security, only a weak transport security against non-onpath attackers. A replacement suggestion for DNSSEC would need a bit more specification than “cookie or something like that”. It would not only need to cover what DNSSEC protects against, but also be worth the pain of a worldwide migration. An internet draft for this would be a good starting point for a discussion. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
