[dns-operations] [dane] DNSSEC DANE testing

Tony Finch dot at dotat.at
Fri Oct 19 11:13:21 UTC 2012

Warren Kumari <warren at kumari.net> wrote:
> On Oct 18, 2012, at 5:56 PM, Mark Andrews <marka at isc.org> wrote:
> >
> > Well the TLSA is secure.   As long as that matches the CERT returned it *is*
> > secured even if the RRSIG on the A RRset is broken.
> Ooooh… This is an interesting case (which I personally hadn't considered)...
> This all makes sense, but "feels" odd… Not proposing that we do
> anything, but it did make me blink….

This came up when I was working on the SRV/MX drafts. The SRV indirection
needs to be secure, and the TLSA needs to be secure, but that's it.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

More information about the dns-operations mailing list