On Tue, 2 Oct 2012, Andrew Sullivan wrote:
Yep, I know. But my point (which I apparently stated so badly that it
was impossible to understand) is that it _doesn't matter_ if you can
get DNSSEC out at the edge, if the application can't tell.
No. Rather, if I'm going to consume the TLSA record, I need some sort
of confidence that the record was obtained securely.
Indeed.
If the application gets a TLSA record, it must have passed DNSSEC
validation, either on the localhost, in the app, or via an AD bit
over a VPN connection. Otherwise, you did not get a usable TLSA record.
I thought we agreed on that in RFC 6698 Section 8 (specifically, 8.3)
"For this reason, DNSSEC validation is best performed on-host,
even when a secure path to an external validator is available."
Of course, this leaves out any talk about internal only zones, VPNs, and
internal TLSA records, where things become a little more complicated.
Paul
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
