New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attempts to clarify. #4
Conversation
name: David Schinazi | ||
organization: Google LLC | ||
email: dschinazi.ietf@gmail.com | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops.
SHOULD try all of them before declaring failure. | ||
SHOULD try all of them before declaring failure. An implementation | ||
MUST NOT consider an answer authentic unless it is either signed | ||
via DNSSEC or received over an encrypted transport. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this DNSSEC point is right, because the text above would require encrypted transport.
authoritative for their own name SHOULD send SVCB glue records | ||
in the additional data section so that they can be properly cached, | ||
and the TTL for these SVCB records SHOULD match that of the | ||
corresponding NS records in the same RRset. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice
in {{overview}}, cannot assume the NS answer is authentic. However, | ||
given the number of top-level domain servers, resolvers may use an | ||
HSTS-like mechanism for determining whether which top-level servers | ||
support encrypted transports. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm gonna merge this, but I don't think it's quite right. Will fix it in a followup PR.
And add HSTS proposal.