On Wed, 14 Nov 2012, Tony Finch wrote:
Well, for "indeterminate", you know that the DNS was very broken, or
possibly tampered with, and prevented receiving positive or negative
prove from DNS/TLSA.
No, indeterminate just means you have no trust anchors. Broken/tampered is
bogus.
If you ask with DO bit, and get no answer packet whatsoever, that is
indeterminate, but not bogus.
To me, the actions to perform for "insecure" versus "indeterminate" are
quite different.
To me they are equivalent from an app's point of view.
proven insecure is a lot different from "could be under attack"
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
