On Tue, 19 Jun 2018, Nico Williams wrote:
The I-D should say that clients MUST allow local configuration of what domains to accept trust anchors for, and SHOULD allow local policy to list . as a domain for which to accept trust anchors.
Just one note. This draft is mean ONLY for use with split-tunnel VPNs. If you are sending all traffic over the VPN, then INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA are irrelevant and MUST be ignored, because you are no longer talking about a public vs private view. You are just changing the entry point to the public view. Was that not clear from the existing text? Adding an option for "." as override trust anchor seems unneccessary for any non-malicious use case I can think of. Can you give an example of a valid use case? Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
