On 6/15/23 15:32, Viktor Dukhovni wrote:
I agree that client-side validation would be ideal. One important
aspect here is to save on the latency caused by extra queries; my
impression is that this extra cost is generally considered
prohibitive.
Not sure what you mean by "generally" (is that the browser use case)?
Oh, yes, or in a smartphone app and things like that. Shouldn't have said
"generally", though.
Experimental protocols for this have been published. Specifically, RFC
7901 and RFC 9102 come to mind.
These are not always needed. A local resolver is a good option anywhere
where last-mile middleboxes don't MiTM and break access to DNSSEC.
Right, but where available, those mechanisms also don't hurt.
(If you already have such a library available because you run *some*
latency-sensitive application, I don't see why one wouldn't also use it where
not strictly needed; doing so saves you the overhead of running the local
resolver.)
I'm not aware of any implementations of these protocols -- I think
having software support, perhaps experimental, in some of the common
software packages would be REALLY cool.
Some folks at NLNetLabs had implementations in progress IIRC.
Right, getdns returns the chain if requested:
https://getdnsapi.net/documentation/spec/#31-extensions-for-dnssec -- If there
are applications making use of this to perform the validation themselves, I'd
be curious to know.
Best,
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
