On Thu, Jun 21, 2018 at 02:56:58AM +0300, Tero Kivinen wrote: > Nico Williams writes: > > On Wed, Jun 20, 2018 at 11:20:31PM +0300, Tero Kivinen wrote: > > > So I think the feature that we can use TLSA records in the split-dns > > > is very important. I agree that it would be VERY BAD for the client to > > > just accept whatever domains server sends, and it SHOULD always verify > > > it against its local configuration. > > > > Agreed. > > > > But I also think that a REQUIREMENT that the client support and check > > local policy as to which domains to accept TAs for is sufficient to > > address the concern. Isn't it? > > Yes and no. > > Yes, I think that is best we can do. > > [...]
Agreed. Now, is the concern enough to reject this I-D? Nico -- _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
