On Wed, Jun 20, 2018 at 7:15 AM, Paul Wouters <[email protected]> wrote:
> On Tue, 19 Jun 2018, Eric Rescorla wrote: > > Yes, that's technically true, but the question is whether it's in fact >> practical for people to do that. >> > > I already responded before that yes I think it is practical. > Perhaps I have misunderstood you, but that's not what I have been getting out of this conversation. > In most deployment scenario's, the IKE client has an expectation that >> it is connecting, using a split-network setup, to a specific >> organisation or enterprise. A recommended policy would be to only >> accept INTERNAL_DNSSEC_TA directives from that organization's DNS >> names. However, this might not be possible in all deployment >> scenarios, such as one where the IKE server is handing out a number >> of domains that are not within one parent domain. >> >> Is that text wrong? If not, I suspect we're just quibbling about "common". >> > > I can clarify the text if you tell me what is bothering you. I thought I had made clear what was bothering me, so I suppose we must be talking past each other. I read this text as saying that there are important cases where in fact the client will not have any reasonable way of knowing which domains to accept from the server, which, it seems to me, contradicts the claim above that it's practical. You obviously think i'm wrong, so how should I be reading this text? -Ekr
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
