What comment of mine are you replying to exactly? You seem to have read an awful lot into something where I was trying to help someone understand why there is some conflict here.
I only mentioned X509 as people are going to be more familiar with that than DNSSEC. The reason I mentioned it was to describe it as having a comparable method for validating the chain of certificates/signatures. It is very similar in that regard to X509 certificate chains.
I’ve implemented DNSSEC in my own project, so I know the protocol, and I do agree that for MX records, as well as TXT and other record types that we need to validate that the records are authentic, in many contexts. Not just web and not just public internet, where we might want to pin custom trust anchors.
I can see you are very concerned about this as am I, and if you want to reach out and discuss this in a different forum, I’d be happy to, as I think we have shared interests in seeing this succeed.
I only mentioned X509 as people are going to be more familiar with that than DNSSEC. The reason I mentioned it was to describe it as having a comparable method for validating the chain of certificates/signatures. It is very similar in that regard to X509 certificate chains.
I’ve implemented DNSSEC in my own project, so I know the protocol, and I do agree that for MX records, as well as TXT and other record types that we need to validate that the records are authentic, in many contexts. Not just web and not just public internet, where we might want to pin custom trust anchors.
I can see you are very concerned about this as am I, and if you want to reach out and discuss this in a different forum, I’d be happy to, as I think we have shared interests in seeing this succeed.