Sounds familiar :) https://tools.ietf.org/html/draft-ietf-dnsop-edns-chain-query-02
Sent from my iPhone > On Jul 28, 2015, at 20:11, Nico Williams <[email protected]> wrote: > > I doubt this is the right list to send this to, but might as well start > here and move this elsewhere as needed. > > My proposal for stapling DNSSEC/DANE is as follows: > > - Use a DNS response whose answer is the TLSA RRset and whose > additional section contains all the DNSSEC RRsets needed to validate > the answer, chaining all the way to ., of course. > > One can already get such responses from caching validating resolvers, so > producing these is easy. > > Validating them requires a library, but ideally we could define a > protocol to speak to caching validating resolvers for validating stapled > DNSSEC, my proposal for which is: > > - Send the stapled DNSSEC response as a query that the caching > validating resolver must then respond to with an error if it does not > validate, or with an answer that contains just the answer RRset > (which must match the query). > > Caching validating resolvers would be allowed to also ignore the > answer and additional RRs in the query and instead answer the > question as usual. Clients would have to check the response to make > sure they got the same TLSA RRset as stapled. > > Obviously this would work for RRs other than TLSA. > > Nico > -- > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
