On Fri, 14 Sep 2018, Eric Rescorla wrote:
DNSSEC lookups either return the truth or explicitly *FAIL*, they don't just return "neutral" results.In theory perhaps, but as a practical matter, no browser client, at least, can do DNSSEC hard fail, because the rate of organic DNSSEC interference is too high. Indeed, this is the primary reason why DANE over TLS is interesting.
Right, the goal is hard fail on DNS manipulation. So it makes no sense that the extension we are writing to accomplish that, would not mandate it. There is always local policy overrides, whether for testing or otherwise. Paul _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
