On 16/04/15 20:10, Paul Wouters wrote: > On Thu, 16 Apr 2015, Stephen Farrell wrote: > >> My understanding is that some people wanted to experiment with TLSA >> without having to have had DNSSEC deployed. But I take your answer >> to be that no such behaviour is defined here, which is fine. So >> consider this one answered. > > I go back and forth with this one. It seems there is no good reason > not to use an insecure trust anchor over no trust anchor, but the UI > would have to be clearly different, which is where the real problem is > I think. We could easilly use unsigned TLSA over completely unverified > TLSA, but it would not be a good test because you cannot accept it as > equal security in the UI without it becoming a downgrade attack. > > Those who want to test could add their zone to the DLV, at least for > now - or configure a local trust anchor, if they are okay with a > signed zone without DS record.
I still think I've been answered but just to clarify. The context here has no UI at all given it's between MTAs. And the people who wanted to experiment I believe wanted to play about with no DNSSEC at all, rather than with local trust anchors for DNS. Cheers, S. > > Paul > _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
