Open mcmanus opened 5 years ago
Interesting! Essentially, just say that if something is willing to DNSSEC sign the DOHNS record, then it's okay to use? It's still a bit weird if someone did that for "com", but perhaps we can argue that no one would realistically do that.
If something is within an eTLD that has a record, however, we may want to encourage looking for the more specific record?
a DOHNS record needs to be 1] dnssec signed 2] for something more specific than an eTLD
what's the rationale for 2 if we have 1?
I can think of 2 reasons to remove it 1] dealing with the PSL is complicated and full of state. And the PSL is pretty inaccurate anyhow 2] don't we want to look up eTLD records over doh directly? e.g. us.com is considered an eTLD and it also has an A record and a valid https://us.com site.