On Wed, Nov 21, 2018 at 12:55 PM Paul Wouters <p...@nohats.ca> wrote:
> On Nov 22, 2018, at 00:03, Warren Kumari <war...@kumari.net> wrote: > > > > I am sympathetic to the general use case, but really don't want this to > open scary security holes / decrease "trust" in DNSSEC. > > > By not allowing VPNs to use an enterprise internal dnssec trust anchor, > you also erode trust in dnssec, or end up not using dnssec internally at > all when connected via VPN. > > True. > I suggest you wait for me to push -15 before asking dnsop. It should be > out today or tomorrow and contains quite some changes related to this topic. > Okey dokey, thank you. Please let me know LOUDLY when you have a new version ready (I don't want it to get lost in the post IETF103 / US Thanksgiving holiday / similar shuffle). W > > Paul > > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec