>>>>> "VD" == Viktor Dukhovni <[email protected]> writes:
VD> Suppose a query a known signed zone: ... and I receive a signed VD> CNAME referral: ... and suppose further that the example.edu zone VD> is unsigned with FWIW an insecure (zone is not signed) TLSA record VD> published there: My understanding of the consensus is that, if anything in the chain is unsigned (as opposed to bogus), then any tlsa records should be ignored and the connection should progress as if dane were not there at all. -JimC -- James Cloos <[email protected]> OpenPGP: 1024D/ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
