[dns-operations] CNAME at the apex breaks DNSSEC DS lookups from caches

Emmanuel Fusté manu.fuste at gmail.com
Fri Apr 15 20:56:44 UTC 2022


Le 15/04/2022 à 20:18, Robert L Mathews a écrit :
> On 4/14/22 4:00 PM, Mark Andrews wrote:
>> Bring on HTTPS support in browsers as then this CNAME at the apex 
>> idiocy can go away.
>
> I have doubts about this, because a) that will take a long time (a 
> decade or more until people feel comfortable that most browsers are 
> using them), and b) people are still going to want the same 
> protocol-independent effect in other software that will never be 
> updated to support HTTPS or SVCB records.
>
Firefox and Chrome have HTTPS/SVCB support enabled since two to four 
major release and since years on ios.
CNAME at the apes is only for browser/marketing purpose and could start 
to go away now.
Serious tools/softwares will be updated for ech/TLSv1.3 support.
All the others could simply live without HTTPS/SVCB an without CNAME at 
the apex.

Emmanuel.



More information about the dns-operations mailing list