In article <alpine.deb.2.11.1702201458030.23...@grey.csi.cam.ac.uk> you write: >Would it be easier or harder, instead of adding a new SNI RRtype, to use >DANE TLSA records to identify the server's cert or key, and use a >variation of TLS SNI to request the cert by digest instead of by name?
I don't see how that would help. Using passive DNS it's easy to find all the names that point to a server, which makes it easy to get all of the TLSA records for those names so the bad guy knows the hashes. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
