As a note, I didn't see anything in this draft (from a quick read) that precludes any of DANE's Certificate Usage, Selector, or Matching Type fields. If that's not the case, perhaps someone can correct me.
A client must not be able to force a server to perform lookups on arbitrary domain names using this mechanism. Therefore, a server MUST NOT construct chains for domain names other than its own. What about the reverse? Do we care about a server tricking a client into priming its DNS cache? -tom On 28 June 2017 at 16:15, Joseph Salowey <j...@salowey.net> wrote: > This is the working group last call for > draft-ietf-tls-dnssec-chain-extension-04. Please send you comments to the > list by July 12, 2017. > > Thanks, > > J&S > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
