On Thu, Oct 03, 2013 at 01:31:24PM -0700, Wes Hardaker wrote:
> 5) security considerations
>
> There is definitely something to consider if someone publishes both
> name records along with number records, and the client only parses
> number records. What happens with this:
>
> _666._tcp.first.example. TLSA 3 1 1 {blob}
> _666._tcp.first.example. TLSA DANE-TA SPKI SHA2-256 {blob}
>
> Something needs to be said for that case; what would an existing
> implementation do? drop both? take one? Either way, it should be
> discussed/mentioned.
I'm confused I thought these were just user friendly names... The
wire format of the DNS TLSA record is surely unchanged. In which
case it is impossible to publish the second form, it is just an
input format in documentation (and perhaps source form zone files
in supporting DNS servers), but not a wire format.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
