On 1/6/25 12:18 AM, Taavi Eomäe wrote:
On 06/01/2025 03:01, Michael Thomas wrote:
That makes the assumption that there weren't alternatives a housing
the public keys in DNS that were more secure. There were. There still
are, and they are widely known and deployed.
Wouldn't it suffice if Authentication-Results header were to
optionally contain DNSSEC status for the public key that the signature
was checked against?
This pretty much tells you everything you need to know about the state
of DNSSec:
*google.com*DNSSEC status is:
|unsigned|
*gmail.com*DNSSEC status is:
|unsigned|
Having A-R report its lack of uptake is probably not helpful.
Mike
_______________________________________________
Ietf-dkim mailing list -- ietf-dkim@ietf.org
To unsubscribe send an email to ietf-dkim-le...@ietf.org
