| ▲ | gzread 3 hours ago | |
Basically reinventing DNSSEC? | ||
| ▲ | amluto 6 minutes ago | parent [-] | |
Nope. DNSSEC is a complex scheme that is designed to allow queries to be answered with no secrets know to the answering nameserver: everything is signed offline and signed records are served up. My (vague) suggestion is to use a much simpler online scheme with correspondingly lower performance, but to use it only for security-critical queries such as those made by CAs. | ||