If you are interested in using DNSSEC as a root of trust for secure HTTP, I recommend looking into DANE (RFC 7671).
For serving a static outage page, SVCB/HTTPS is actually a pretty effective solution. You would set up a backup server and add it to the HTTPS RRset with higher SvcPriority: example.com AAAA 2001:db8::1234 example.com HTTPS 1 . ;; Default endpoint example.com HTTPS 2 example-com.last-resort-backup-service.example. ;; Backup service Browsers (at least some today) will try the default endpoint first, but fall back to the backup service if the primary is unreachable. If the backup service only has to serve a static error page, it can be operationally isolated or outsourced to avoid correlated failures. (In this example the backup server still has to hold a valid certificate for "example.com".) --Ben Schwartz
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
