It seems like the conversation here stalled out a bit. From my perspective, the feeling in the working group is that the functionality described in the document for dealing with Split-DNS and DNSSEC is the best thing we can do given enterprise deployment models, as long as it is clear that client must validate TAs against configured local policy.
I think the text that Paul added recently does aim at clarifying this point. Are there specific nits or changes we want to see in the text there? I’d like to see this document be able to progress soon in a way that everyone is satisfied with. Thanks, Tommy > On Jun 20, 2018, at 5:26 PM, Nico Williams <[email protected]> wrote: > > On Thu, Jun 21, 2018 at 02:56:58AM +0300, Tero Kivinen wrote: >> Nico Williams writes: >>> On Wed, Jun 20, 2018 at 11:20:31PM +0300, Tero Kivinen wrote: >>>> So I think the feature that we can use TLSA records in the split-dns >>>> is very important. I agree that it would be VERY BAD for the client to >>>> just accept whatever domains server sends, and it SHOULD always verify >>>> it against its local configuration. >>> >>> Agreed. >>> >>> But I also think that a REQUIREMENT that the client support and check >>> local policy as to which domains to accept TAs for is sufficient to >>> address the concern. Isn't it? >> >> Yes and no. >> >> Yes, I think that is best we can do. >> >> [...] > > Agreed. > > Now, is the concern enough to reject this I-D? > > Nico > -- _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
