On 18/04/16 23:25, Viktor Dukhovni wrote:
>>> * TLSA record lookup failures are not handled correctly.
>>> If the host's A records are signed,
>>
>> Signed in what fashion?
>
> I should perhaps have said "DNSSEC validated", that is that the A
> records are in a "signed zone".
>
>>> then TLSA record lookup
>>> failure must block connections to the host, whether dane is
>>> "required" or not. On the other hand, insecure TLSA records,
>>> (CNAME to insecure zone perhaps) should simply be ignored.
You want to enforce that DANE is used any place DNSSEC is used?
Perhaps I misunderstand; this does not seem viable.
--
Cheers,
Jeremy
