On Feb 16, 2021, at 6:41 PM, Paul Wouters <[email protected]> wrote: > > On Mon, 15 Feb 2021, Paul Wouters wrote: > >> Here is a different sentinel: >> >> _53._dns.ns0.example.com. IN TLSA x y z <base64ofCert> >> >> Then do (D)TLS >> >> Now you can choose: >> >> 1) Use DNS(SEC) for validation >> 2) Use WebPKI[*] for validation >> 3) TOFU >> 4) Take at face value > > as PaulH pointed out, the TLSA RFC does not allow one to accept a TLSA > RRset without DNSSEC signature protection. To allow for deployment > without DNSSEC, you could instead use the CERT RRtype that has no such > requirement.
Well, not exactly. (Yes, I said that to PaulW when we were talking, but I was not being precise.) RFC 6698 both defines the TLSA RRtype and a protocol to use it. The protocol defined in RFC 6698 indeed requires the TLSA record to be validated with DNSSSEC. However, a new protocol, such as one here, could use the TLSA record type in a different protocol, such as the one PaulW has above. The document that defines that protocol would have to be completely clear about what it was doing and why. --PaulH
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
