On 4/12/21 8:51 AM, Nico Williams wrote:
You get better security properties (w.r.t. possible compromised root or ccTLD/TLD keys) if the resolver finds the DNSSEC chain on its own using qname minimization than you get with stapling, but I agree that stapling is a performance win. We'll really want transparency for DNSSEC if we do any kind of full chain stapling.
Can somebody explain what "stapling" is? thx, Mike
