On Tue, 19 Jun 2018, Eric Rescorla wrote:
Yes, that's technically true, but the question is whether it's in fact practical for people to do that.
I already responded before that yes I think it is practical.
I'm sorry to repeat myself, but once again the document clearly states that this can happen:
I also answered this question twice already. If you are waiting for a trigger in any possibly answer, why not just tell us what that trigger is and we can discuss it?
In most deployment scenario's, the IKE client has an expectation that it is connecting, using a split-network setup, to a specific organisation or enterprise. A recommended policy would be to only accept INTERNAL_DNSSEC_TA directives from that organization's DNS names. However, this might not be possible in all deployment scenarios, such as one where the IKE server is handing out a number of domains that are not within one parent domain. Is that text wrong? If not, I suspect we're just quibbling about "common".
I can clarify the text if you tell me what is bothering you. Or you can suggest text. Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec