> On Apr 10, 2018, at 11:22 AM, Paul Wouters <p...@nohats.ca> wrote:
> This hints at returning the proof of non-existence, but clearly even the
> authors are now saying they did not mean this and a server is not
> required to do this. Clearly the text needs clarification, and if it
> then leaves out denial of existence, it needs a justification for that
> as well.

Paul makes a good point.  If indeed at some later time (as Willem
suggests) a commitment to deliver the extension is made at some
application layer, then the underlying TLS extension code will need
to be able to return denial of existence of TLSA records when these
are deleted or not yet present.

And yet there is nothing in the document that describes returning
denial of existence for the requested TLSA records, except to
validate a wildcard TLSA RRset (which is still a positive response).
So indeed the present document does not support responses that are
a denial of existence *of the requested TLSA RRset*.

So at the very least this defect will need to be addressed, (option
(A)). This in no way weakens the imperative for (C) (both denial of
existence support and an extension support TTL).


TLS mailing list

Reply via email to