subject:"\[DNSOP\] \[Doh\] \[Driu\] Resolverless DNS Side Meeting in Montreal"

Re: [DNSOP] [Doh] [Driu] Resolverless DNS Side Meeting in Montreal

2018-07-11 Thread Mike Bishop

But it's not necessarily the CDN that's generating the signed records in the general case. You're wanting proof that the customer's domain is pointed to that CDN, so it's signed by whoever manages the DNS infrastructure instead. That could be one of the CDNs, or the customer's operations team,

Re: [DNSOP] [Doh] [Driu] Resolverless DNS Side Meeting in Montreal

2018-07-11 Thread Petr Špaček

On 10.7.2018 20:57, Ryan Sleevi wrote: > > > On Tue, Jul 10, 2018 at 2:09 PM, Mike Bishop > wrote: > > Yes, the multi-CDN case is the scariest aspect of coalescing and the > various DNS tricks we’ve been doing in recent years. The server may > not be ma

Re: [DNSOP] [Doh] [Driu] Resolverless DNS Side Meeting in Montreal

2018-07-10 Thread Adam Roach

On 7/10/18 12:32 PM, Philip Homburg wrote: If we decide that TLS is strong enough to defend against these attacks, then there is no need to secure the DNS lookup, other than to reduce the risk of denial of service and for privacy reasons. Then such an ip= modifier would be fine, because the worst