On Tue, Jun 28, 2022 at 10:23 AM Peter Thomassen wrote:
> Hi Bob,
>
> On 6/28/22 16:20, Bob Harold wrote:
> > But the parent NS set is not covered by DNSSEC, and thus could be
> spoofed??
> > (Wish we could fix that!)
>
> The parental agent (registry, registrar) has off-band definite knowledge
>
Hi Bob,
On 6/28/22 16:20, Bob Harold wrote:
But the parent NS set is not covered by DNSSEC, and thus could be spoofed??
(Wish we could fix that!)
The parental agent (registry, registrar) has off-band definite knowledge of the
delegation's NS records.
As an example, the .edu operator knows
On Tue, Jun 28, 2022 at 9:52 AM Peter Thomassen wrote:
>
>
> On 6/28/22 02:56, Paul Wouters wrote:
> >> I thus propose to update RFC 7344 along the lines of (2), such that it
> is REQUIRED to retrieve CDS/CDNSKEY records using queries to all
> authoritative nameservers.
> >
> > The question is
On 6/28/22 02:56, Paul Wouters wrote:
I thus propose to update RFC 7344 along the lines of (2), such that it is
REQUIRED to retrieve CDS/CDNSKEY records using queries to all authoritative
nameservers.
The question is now how to phrase this exactly. Do we want the parent to use
its
