| ▲ | amluto 2 hours ago | |
Nope. DNSSEC is a complex scheme that is designed to allow queries to be answered with no secrets know to the answering nameserver: everything is signed offline and signed records are served up. My (vague) suggestion is to use a much simpler online scheme with correspondingly lower performance, but to use it only for security-critical queries such as those made by CAs. | ||
| ▲ | gzread an hour ago | parent [-] | |
So a whole alternative DNS tree just for verifying domain ownership to CAs? Or would it be the same tree? If it's the same tree why not extend it to all records, all the time? | ||