On Wed, Sep 23, 2015 at 4:55 PM, Simon Josefsson
Eliot Lear <lear(_at_)cisco(_dot_)com> writes:
The good news is that this should be observable by the user. That is,
he should be able to query the domain for his own public key and
The user can't detect it reliably, I believe, at least not until we have
something like a Certificate Transparency project for DNSSEC data.
+1. This is a good idea. More sunlight on (DNS, web, other) certificates is
a good thing.
I have no particular problem with keyservers remaining outside of the DNS
payload ecology btw. I feel this is a bit like discussions of OCSP:
wonderful idea, no traction. Thats what keyservers feel like.
DNSSEC has compelling qualities of ubiquity and reach, combined with signed
chain. John Levine's argument takes me to believe there is no innate
value-add from the DNSSEC in the fetch of the data over any other path, but
it is ubiquitous, and widely distributed where keyserver.pool.org is
inherently scale-nasty until somebody in CDN land steps in to make it scale.