Yes, section 3.1's statement is foolish, because it limits itself
by saying "through this mechanism" at the end of the first sentence:
Continuing to require PKIX validation also limits the degree to which
DNS operators (as distinct from the holders of domains) can interfere
with TLS authentication through this mechanism. As above, even if a
DNS operator falsifies DANE records, it cannot masquerade as the
target server unless it can also obtain a certificate for the target
domain.
Through the "CA Constraints" mechanism, a DNS operator cannot falsify
DANE records to masquerade as the target server.
However, through other readily available mechanisms, a DNS operator
can EASILY falsify DANE records to masquerade as the target server.
The statement is literally true as written, but is misleading about
the actual level of security provided in the real world by publishing
a "CA Constraint" TLSA record through an untrustworthy DNS operator.
John
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
