On 6/28/22 02:56, Paul Wouters wrote:
I thus propose to update RFC 7344 along the lines of (2), such that it is
REQUIRED to retrieve CDS/CDNSKEY records using queries to all authoritative
nameservers.
The question is now how to phrase this exactly. Do we want the parent to use
its "externa
On Tue, Jun 28, 2022 at 9:52 AM Peter Thomassen wrote:
>
>
> On 6/28/22 02:56, Paul Wouters wrote:
> >> I thus propose to update RFC 7344 along the lines of (2), such that it
> is REQUIRED to retrieve CDS/CDNSKEY records using queries to all
> authoritative nameservers.
> >
> > The question is no
Hi Bob,
On 6/28/22 16:20, Bob Harold wrote:
But the parent NS set is not covered by DNSSEC, and thus could be spoofed??
(Wish we could fix that!)
The parental agent (registry, registrar) has off-band definite knowledge of the
delegation's NS records.
As an example, the .edu operator knows wh
On Tue, Jun 28, 2022 at 10:23 AM Peter Thomassen wrote:
> Hi Bob,
>
> On 6/28/22 16:20, Bob Harold wrote:
> > But the parent NS set is not covered by DNSSEC, and thus could be
> spoofed??
> > (Wish we could fix that!)
>
> The parental agent (registry, registrar) has off-band definite knowledge
>
