DANE folks, We've recently updated the "TLS extension for DANE and DNSSEC authentication chain" draft:
https://tools.ietf.org/html/draft-shore-tls-dnssec-chain-extension-02 This work is proposed to happen in TLS, but we hope to get plenty of feedback from DNS/DANE folks. Here's a quick summary of the major changes in -02: * Updated reference newly published DANE RFCs * An update to the chain data format. It now uses native DNS wire format resource records with no TLS presentation language wrapping. This makes it easier for implementations to work with existing DNS libraries to produce and consume the data. But we still describe the data format in sufficient detail that implementers not using DNS libraries can work with it. * Description of how CNAME and DNAMEs are accommodated * Reference to use of the X.509v3 TLS Feature Extension to mandate use of the extension by a server certificate. * Reference to the EDNS chain query option draft as a future easy way to obtain/produce the chain data. * Removed discussion of possible client caching of chain data components (could be difficult to get right and/or a premature optimization). -- Shumon Huque
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
