> On 22 Mar 2016, at 08:49, Viktor Dukhovni <[email protected]> wrote: > > On Tue, Mar 22, 2016 at 08:58:25AM +0100, Daniel Margolis wrote: > > My (strong) suggestion: use DNS for just cache invalidation, and > perhaps also publication (via a separate record) of the "rua" > reporting URI. Do not duplicate data which one must in any case > obtain and cache via HTTPS in DNS. > > Do not attempt to hedge your bets and support DANE/DNSSEC via STS, > I don't think that makes much sense either. >
I agree with the “don’t hedge your bets” part. I was quite surprised to see all the justification for STS in the first part of the document, including “the mechanism described here presents a variant for systems not yet supporting DNSSEC”, and yet then goes on to include DNSSEC as one of the policy authentication mechanisms. > * Allow (DANE or other) domains to publish just the RUA, > the feature is not STS-specific. > +1 Neil
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
