* In theory perhaps, but as a practical matter, no browser client, at least, can do DNSSEC hard fail, because the rate of organic DNSSEC interference is too high. Indeed, this is the primary reason why DANE over TLS is interesting.
But that doesn’t make Viktor’s statement wrong, does it? Browsers are ignoring the FAIL state; they’re not getting a “neutral” result, are they?
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
