On Wed, Jul 04, 2018 at 06:34:44PM -0700, Eric Rescorla wrote:
> 3. Do you support the proof of denial of existence text in the revision?
>
> The mechanism seems fine, but it doesn't seem to me that the specification
> is clear on what the semantics are. I think what they are is that you can
> configure the client to be in some "DNSSEC required" mode which will
> requires that the extension be returned and that it either (a) contain
> DNSSEC-signed records for the domain or (b) contain authenticated denial of
> existence. Is this correct? If so, I would be happy to have the text merged
> and then wordsmith this explanation.
More precisely, you can configure the client to require the extension,
and yet still interoperate with servers that (support the extension,
but) live in an unsigned zone, or live in a signed zone with no
TLSA records for the service in question. The server just needs
to be able to return a denial of existence proof for the DS records
of a delegated containing domain or its TLSA records, respectively.
Agree that merging the text for further polish is a logical next step.
> 4. Do you support the new and improved security considerations?
>
> They seem like a good start. I'd be happy to have them merged and wordsmith
> them.
Ditto.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
