On Wed, Dec 4, 2013 at 9:17 AM, Peter Saint-Andre <[email protected]>wrote:
> On 12/4/13 2:13 AM, Dave Cridland wrote: > I'm waxing sleepy because it's 2 AM here, but I don't see how we get > that level of trust with unsigned DNS records... > > I assumed from the quantity of mail I was seeing from you that you were travelling. ;-) We're currently using unsigned DNS records to authenticate anyway if the certificate fails to authenticate. So there's no new attack vector by using unsigned TLSA to prevent that fallback; and perhaps some fearsome TTLs on such records might mean we end up with a net win. Maybe. Dave.
