[dns-operations] [dane] DNSSEC DANE testing
Tony Finch
dot at dotat.at
Fri Oct 19 11:13:21 UTC 2012
Warren Kumari <warren at kumari.net> wrote:
> On Oct 18, 2012, at 5:56 PM, Mark Andrews <marka at isc.org> wrote:
> >
> > Well the TLSA is secure. As long as that matches the CERT returned it *is*
> > secured even if the RRSIG on the A RRset is broken.
>
> Ooooh… This is an interesting case (which I personally hadn't considered)...
>
> This all makes sense, but "feels" odd… Not proposing that we do
> anything, but it did make me blink….
This came up when I was working on the SRV/MX drafts. The SRV indirection
needs to be secure, and the TLSA needs to be secure, but that's it.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
More information about the dns-operations
mailing list