[dns-operations] Browser Public suffixes list

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Aug 27 01:55:13 UTC 2022


On Sat, Aug 27, 2022 at 03:17:18AM +0300, Meir Kraushar wrote:

> You also suggested to not opt-out?  What would be the reason for that?

Attackers can no longer fabricate the existence or non-existence of
unsigned delegations whose hashes fall between those of the signed ones.

Of course all answers under an unsigned delegation are still subject to
some tampering.

Most of the value of avoiding opt-out is obtained in "leaf" zones with
no delegations.  A delegation-mostly zone (such as a TLD) benefits less,
but unless you're operating something as large as .COM, there's little
reason to bother with opt-out.

-- 
    Viktor.


More information about the dns-operations mailing list