On Wed, 27 May 2020, Petr Špaček wrote:
- I don't see any traction for draft-ietf-tls-dnssec-chain-extension. Do you see any evidence it is going to change?
The draft has been resubmitted for the ISE stream (not TLS WG) as draft-dukhovni-tls-dnssec-chain Stubby already implements it. We do so traction and a lot of interest. Viktor wants to add support to openssl. But we are unfortunately waiting on the ISE :/
- If I'm not mistaken authoritative servers implementing draft-ietf-tls-dnssec-chain-extension would need to add DNS resolver to refresh chain of records leading to TLSA records under their name:
No. An external progam can update the blob and regularly rewrite it. The DNS auth server can pick it up using inotify or something.
b) Auth servers nowadays do not even know all their _names_ and do not care/need to know. How would we solve that?
Whatever part talks TLS, knows the certificate it is using, and can pull the SAN with FQDN from the certificate. Paul _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
