> Distribution trimmed down
> to just dnsop, where the question is most pertinent.
>
> Paul Wouters writes:
> > Of course even better is using RFC 7901 Chain Query and run the few
> > signature validations yourself.
>
> Related, is there any notable software out there that does 7901?
> I started
I agree that you can't trust a resolver that you only know about from ADD.
-Ekr
On Tue, Oct 8, 2024 at 8:31 AM Paul Wouters wrote:
> I agree with your points. Our only difference of opinion seems to be about
> how much one should trust a TRR.
> I still prefer to need to trust them the least po
I agree with your points. Our only difference of opinion seems to be about
how much one should trust a TRR.
I still prefer to need to trust them the least possible, meaning I would
want DNSSEC validation to at least
detect tampering at the TRR. With more ECH deployed, and less visibility of
SNI, th
