On Fri, Apr 17, 2015 at 04:39:42PM +0000, Viktor Dukhovni wrote: > Well, though I don't know why we'd care protecting about the address > records also (given routing layer attacks), ... There is (full > disclosure) a corner case where the address records are not secure, > but the TLSA records are. > > The case in question is a CNAME alias chain whose starting point > (the "owner" name of the initial CNAME) is in a signed zone, but > whose end-point is not secure:
This sort of thing is fine in general: get the TLSA RRSet for the original name, chase aliasing regardless of whether aliasing RRs are signed, then insist on the server using certificates that validate per-the TLSA RRSet found in the beginning. Though preferably we should sign everything -- it's easier to think about this. Changing the origin is a different -but related- topic, about which see the threads from the URI RR's IETF LC. Nico -- _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
