> On Apr 12, 2018, at 6:44 PM, Willem Toorop <wil...@nlnetlabs.nl> wrote: > > Well... I find it unfortunate that the line you were quoting from > section 3.4 could be interpreted as prohibiting the possibility of > denial of existence. So I am open to relaxing that text so that it can > not be interpreted as such anymore yes.
Current text: The first RRset in the chain MUST contain the TLSA record set being presented. However, ... Proposed text: When the server has DNSSEC-signed TLSA records, the first RRset in the chain MUST contain the TLSA record set being presented. However, ... When the server either has no TLSA records, or its domain is not DNSSEC-signed, it is RECOMMENDED that the server return a denial of existence of either the TLSA records, or proof of insecure delegation at some parent domain, rather than omit the extension. Clients that are willing to fall back from DANE to some alternative mechanism may require the denial of existence to make that possible. -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls