On Thu, 24 Sep 2015, Tommy Pauly wrote:
We’d like to get feedback from the working group about the level of interest in this topic, and if people would like to work on adopting it.
One item we were not sure about is the format of the INTERNAL_DNSSEC_TA. While a DS record is shorter and nicer and easier to add as configuration option, it requires the initiator to do an (insecure?) DNS request for the DNSKEY, then convert/verify it with with the DS record. It would be easier for the client to be given the DNSKEY. But DNSKEYs are much bigger and unwielding and would be pretty ugly in configuration files on the responder side. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
