On 18/03/2025 13.37, Philip Homburg wrote:
This is a question of attack model. If we say that this attack model is
unrealistic, then we should document that somewhere. And explcitly say
that those types of attacks will not be considered by the wg.
If a name wants poisoning protection, they should sign it.
With DNSSEC they get way more than just this (protection against on-path
attackers, etc.) DNSSEC isn't that hard nowadays. In some ccTLD you
have majority names signed and majority of clients validating.
Including very important domains and very important clients.
--Vladimir | knot-resolver.cz
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
