On Thu, 1 Mar 2018, Shumon Huque wrote:
I do not know if the draft authors and/or WG have an appetite to do the much more major change suggested by Viktor (i.e in-protocol pinning TTL commitment and requiring subsequent denial of existence proof if DANE is removed).
I think it is worth discussing in London and/or some people meeting up to talk about this and bring something to the list/WG. The original idea of this extension I believe (and one of my reasons behind writing RFC 7901) was to provide an alternative path for DNS that couldn't be blocked or broken and that provides DNS answers without additional latency. To me, that always included proof of non-existence, as it would come in as the answer to a DNS chain-query via TLS headers as the transport. I don't know why this got turned into something that is almost like DNS but not quite DNS. I think that is a mistake. The TLS extension should be nothing more (and nothing less) than stappled DNS suitable for a DNS routines. Paul _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
