On 2/23/21 9:47 PM, Phillip
Hallam-Baker wrote:
One of the big problems of IETF is that a lot of people don't think about how to get their scheme deployed and when they do, their plan is to tie it to some other group as a boat anchor. Back when we were doing DKIM and SPF we had to tell certain DNS folk that the fact that almost no DNS Registrars offered customers the ability to specify new RRTypes was their problem and was going to remain their problem no matter how loudly they tried to complain that it should become our problem.
We had a solution for that which was to use the IIM KRS concept
which was just HTTP. It would have solved the weakness of relying
on DNSSec trivially too. People were worried about performance,
but DoH pretty much shows that was probably not well founded. A
PKI using a HTTPS key server would scale just fine these days.
Mike
