On Thu, 16 Apr 2015, Stephen Farrell wrote:
My understanding is that some people wanted to experiment with TLSA without having to have had DNSSEC deployed. But I take your answer to be that no such behaviour is defined here, which is fine. So consider this one answered.
I go back and forth with this one. It seems there is no good reason not to use an insecure trust anchor over no trust anchor, but the UI would have to be clearly different, which is where the real problem is I think. We could easilly use unsigned TLSA over completely unverified TLSA, but it would not be a good test because you cannot accept it as equal security in the UI without it becoming a downgrade attack. Those who want to test could add their zone to the DLV, at least for now - or configure a local trust anchor, if they are okay with a signed zone without DS record. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
