Re: [DNSOP] Resolverless DNS Side Meeting in Montreal from Patrick McManus on 2018-07-10 (ietf-http-wg@w3.org from July to September 2018)

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Tue, 10 Jul 2018 09:28:43 -0400
To: Philip Homburg <pch-dnsop-3@u-1.phicoh.com>
Cc: dnsop <dnsop@ietf.org>, Patrick McManus <pmcmanus@mozilla.com>, DoH WG <doh@ietf.org>, driu@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAOdDvNrFs00665SAvfb=fP7=XsrSiQ-MKkFCcxGnuPJpJ7fGxw@mail.gmail.com>

> Assuming that in the context of DoH reply size is not an issue, is seems to
> me that this use case is already solved by DNSSEC. Just push all required
> signatures, key material and DS records that allow the receiving side to
> validate the additional information.
>
>
that validates its a valid dns record. And maybe that's the whole answer -
at which point we still need to write that down along with the scope of
where its valid.

otoh - maybe its not the same valid dns record another resolver might want
you to use. perhaps you have a stronger trust relationship with that other
resolver. hmm.

otoh - maybe an unsigned record is ok in an https context where DNS isn't
the https security model.

this is the kind of stuff that I expect is in scope for discussion.


> Are you trying to re-invent DNSSEC for people who don't want to deploy
> DNSSEC


no.

Received on Tuesday, 10 July 2018 13:29:06 UTC