> On Sep 28, 2020, at 7:09 PM, Wietse Venema <wie...@porcupine.org> wrote:
>
> We could log the DNSSEC status only if DNS was 'secure', like we
> log the connection reuse counter only when a connection was used
> more than once.
Makes sense I think, and would probably do the job. The key
question is what to signal, there are three relevant bits to
log (similar to delays=a/b/c/d perhaps):
* Was the MX RRset signed
* Was the MX host address RRset signed
* Were DANE TLSA RRs found for the MX host.
If all are false, log nothing, if at least one is true, then
log the triple as some subset of
dnssec=mx,addr,tlsa
How does that sound?
--
Viktor.
