On 17/04/15 17:39, Viktor Dukhovni wrote: > Well, though I don't know why we'd care protecting about the address > records also (given routing layer attacks), ... There is (full > disclosure) a corner case where the address records are not secure, > but the TLSA records are.
Right, that's what I was wondering about. I think the question for the WG is whether or not to note that that allows for potential traffic re-direction and traffic analysis of the TLS protected data. You are also correct that this could be done via BGP (and is perhaps more likely to be done) but if one was worried about this, then the error could also be done at this level (as shown by your example) which is an argument to call this out but not get into BGP issues. S. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
