On Tue, Feb 6, 2018 at 8:25 PM, Matthew Miller < linuxwolf+i...@outer-planes.net> wrote:
> Reviewer: Matthew Miller > Review result: Ready with Nits > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please wait for direction from your > document shepherd or AD before posting a new version of the draft. > > For more information, please see the FAQ at > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. > > Document: draft-ietf-tls-dnssec-chain-extension-06 > Reviewer: Matthew A. Miller > Review Date: 2018-02-06 > IETF LC End Date: 2018-02-07 > IESG Telechat date: 2018-02-08 > > Summary: > > This document is ready, with one issue that I think could benefit > from some clarification. > > Major issues: > > NONE > > Minor issue: > > This is more a question, that might warrant some clarification: > In 7. Verification, the last paragraph discusses client-side > caching of the RRsets. If a client has cached the full RRset chain > from TLSA to root RRSIG (and that cache is still viable), is the > client still expected to specify the "dnssec_chain" extension? > > In my reading, that does not seem necessary, and I think it might > be worth noting if that is true. > Yes, if the client has cached either the validated TLSA RRset or the full chain, then it doesn't need to send the dnssec_chain for subsequent connections. If it has only cached other portions of the chain, then it needs to. We can clarify this. Shumon Huque
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
