Some more fleshing out of details of how Paymail will initi…
Some more fleshing out of details of how Paymail will initially fit in ElectrumSV, and a potential picture of the longer term direction.
https://medium.com/@roger.taylor/notes-on-adapting-paymail-1977d450d938
Replies
Re: DNSSEC. There is no issue so long as the host is the same as the domain or perhaps with www prepended. If the domain picks a different host, then you should require DNSSEC.
Wouldn't we employ DNSSEC once or twice depending on that? Once for resolving the domain and looking up the SRV records and so forth, and potentially a second time when we look up the host if it differs? -- rt12
Further, the reason not to always require it is that it can be a PITA to support. AWS does not support it for instance. I think we should only require it if it actually makes a security difference, which it does in the case of third party hosted paymails.
You don't have to, because if the paymail is self-hosted, there is nothing a MITM attack could do. Only if they change it to a different domain do you need to know that a MITM is not possible, and that is why it makes sense to enforce DNSSEC in that case.