On Wed, Jun 20, 2018 at 11:20:31PM +0300, Tero Kivinen wrote: > Reading this thread now, I have few comments. > > [...] > > So I think the feature that we can use TLSA records in the split-dns > is very important. I agree that it would be VERY BAD for the client to > just accept whatever domains server sends, and it SHOULD always verify > it against its local configuration.
Agreed. But I also think that a REQUIREMENT that the client support and check local policy as to which domains to accept TAs for is sufficient to address the concern. Isn't it? Nico -- _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
