> On Apr 12, 2018, at 6:44 PM, Willem Toorop <wil...@nlnetlabs.nl> wrote:
>
> Well... I find it unfortunate that the line you were quoting from
> section 3.4 could be interpreted as prohibiting the possibility of
> denial of existence. So I am open to relaxing that text so that it can
> not be interpreted as such anymore yes.
Current text:
The first RRset in the chain MUST contain the TLSA record set being
presented. However, ...
Proposed text:
When the server has DNSSEC-signed TLSA records, the first RRset in
the chain MUST contain the TLSA record set being presented.
However, ...
When the server either has no TLSA records, or its domain is not
DNSSEC-signed, it is RECOMMENDED that the server return a denial
of existence of either the TLSA records, or proof of insecure
delegation at some parent domain, rather than omit the extension.
Clients that are willing to fall back from DANE to some alternative
mechanism may require the denial of existence to make that possible.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
