On Thu, 31 Jan 2013, Stephen Kent wrote:
I think the simple argument here is that, in the DNS, the parent is authoritative for (DNS) names it assigns to nodes below it, period. This differs from the browser PKI model (let's not dump on X.509 for this truly awful PKI design), where any TA can issue a cert for any name.
But it is not different at all, _because_ the parent or child DNS admin can point the webserver elsewhere and get a new certificate issued. That cert was never safe from any DNS admin control before TLSA, and not after TLSA. So I disagree with Marco's claim that DNSSEC/TLSA changed something. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
