> On Apr 10, 2018, at 11:22 AM, Paul Wouters <p...@nohats.ca> wrote: > > This hints at returning the proof of non-existence, but clearly even the > authors are now saying they did not mean this and a server is not > required to do this. Clearly the text needs clarification, and if it > then leaves out denial of existence, it needs a justification for that > as well.
Paul makes a good point. If indeed at some later time (as Willem suggests) a commitment to deliver the extension is made at some application layer, then the underlying TLS extension code will need to be able to return denial of existence of TLSA records when these are deleted or not yet present. And yet there is nothing in the document that describes returning denial of existence for the requested TLSA records, except to validate a wildcard TLSA RRset (which is still a positive response). So indeed the present document does not support responses that are a denial of existence *of the requested TLSA RRset*. So at the very least this defect will need to be addressed, (option (A)). This in no way weakens the imperative for (C) (both denial of existence support and an extension support TTL). -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls