[dns-operations] CNAME at the apex breaks DNSSEC DS lookups from caches
Emmanuel Fusté
manu.fuste at gmail.com
Fri Apr 15 20:56:44 UTC 2022
Le 15/04/2022 à 20:18, Robert L Mathews a écrit :
> On 4/14/22 4:00 PM, Mark Andrews wrote:
>> Bring on HTTPS support in browsers as then this CNAME at the apex
>> idiocy can go away.
>
> I have doubts about this, because a) that will take a long time (a
> decade or more until people feel comfortable that most browsers are
> using them), and b) people are still going to want the same
> protocol-independent effect in other software that will never be
> updated to support HTTPS or SVCB records.
>
Firefox and Chrome have HTTPS/SVCB support enabled since two to four
major release and since years on ios.
CNAME at the apes is only for browser/marketing purpose and could start
to go away now.
Serious tools/softwares will be updated for ech/TLSv1.3 support.
All the others could simply live without HTTPS/SVCB an without CNAME at
the apex.
Emmanuel.
More information about the dns-operations
mailing list