Hi all,
I know this topic has been dead for a bit, but I did want to specifically find out if Knot
is intended to be compliant with DNSSEC RFCs 4035 and 6840. I ask because I am computer
security researcher and I do a lot of work with the CA/Browser Froum. I recently proposed
a draft ballot that would mandate all publicly-trusted web CAs validate DNSSEC:
https://github.com/cabforum/servercert/pull/571
This ballot requires compliance with RFCs 4035 (specifically an implementation of a
"security-aware" resolver as defined in Section 4) and 6840. To the best of my
knowledge Knot would be a viable choice for conforming to this ballot particularly since
there is a reference to RFCs 4035 in the config documentation and 6840 implements several
key features of modern DNSSEC. Given the need for documentable compliance by CAs, a
statement of intended support from the Knot team would be extremely helpful.
Best,
Henry
https://henrybirgelee.com/