In article <[email protected]> you write: >Would it be easier or harder, instead of adding a new SNI RRtype, to use >DANE TLSA records to identify the server's cert or key, and use a >variation of TLS SNI to request the cert by digest instead of by name?
I don't see how that would help. Using passive DNS it's easy to find all the names that point to a server, which makes it easy to get all of the TLSA records for those names so the bad guy knows the hashes. R's, John _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
