Warren Kumari <war...@kumari.net> wrote:
> On Oct 18, 2012, at 5:56 PM, Mark Andrews <ma...@isc.org> wrote:
> >
> > Well the TLSA is secure. As long as that matches the CERT returned it *is*
> > secured even if the RRSIG on the A RRset is broken.
>
> Ooooh… This is an interesting case (which I personally hadn't considered)...
>
> This all makes sense, but "feels" odd… Not proposing that we do
> anything, but it did make me blink….
This came up when I was working on the SRV/MX drafts. The SRV indirection
needs to be secure, and the TLSA needs to be secure, but that's it.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
