I believe the proposed change here is moot. The point of the current "MUST
NOT" is just a reminder that this logic does not require doing anything
unsafe. A DNSSEC signature on the HTTPS record would not enable any
substantial improvements to the pseudo-HSTS upgrade.
Also, HTTP specifications ge
On Wed, Aug 31, 2022 at 10:43 AM Eric Orth wrote:
> I'm not sure what exactly is being changed or clarified with this
> suggestion. Section 9.5 already applies at SHOULD-level, whether
> cryptographically protected or not and whether the received records were
> AliasMode or ServiceMode.
>
The t
On Wed, Aug 31, 2022, at 18:39, Brian Dickson wrote:
> One additional suggested addition to the end of section 3.1 is:
>>If DNS responses are cryptographically protected, and at least
>>one HTTPS AliasMode record has been received successfully,
>>clients MAY apply Section 9.5 (HSTS equi