On Dec 10, 2021, at 17:16, Daniel Kahn Gillmor <[email protected]> wrote: > > > I think you're suggesting that the recursive should hard-fail if a TLSA > record is found but it does not successfully authenticate the > authoritative.
I am not Robert, but: Eventually, maybe not at first ? > TLSA itself doesn't include the following properties that i think we > want from a signal: > > - indication of which encrypted transports (DoT or DoQ) are supported It does this by having a different prefix location but I agree it’s not ideal as I said in my previous message. > - whether to hard-fail or not See above. Although one could add it as EKU to the cert but then dns needs the full cert instead of the hash. Or we could extend the Usage field of the TLSA record to contain this information. > - how to report errors Gossip like ? Send old certs from the TLS to the new server to report them, similar to CT gossip proposals. That is in a TLS extension. > I worry that TLSA alone isn't expressive enough to support that rollout, > and that jumping straight to a hard-fail mechanism will scare people > from deploying. Maybe those fears are misplaced, though. I think we can encode that in the Usage field. Paul _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
