Matt Miller <[email protected]> wrote: > On Jun 7, 2012, at 15:12, Peter Saint-Andre wrote:
Glad we're all pretty much agreeing :-) One further question: > If this specification is about DNSSEC with DANE goodness, then I do > think the A/AAAA verification is necessary, or at least recommended. What advantage does the verification have, if the client is going to check the server certificate? (I'm assuming that bogus == DNS lookup failure, so the question is about secure vs. insecure.) The client is knows the SRV record is secure so the link from source domain to derived domain is secure. If the address records are insecure, the client needs to check a certificate to be sure the server is the right one; the client gets the same level of assurance whether it matches the source or derived domain. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Fisher: Southeast 5 to 7. Moderate or rough. Occasional rain. Good, occasionally poor. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
