On Mar 25, 2015, at 10:40 AM, James Cloos <[email protected]> wrote:
> I support the wg adopting this draft. > > It needs a bit of work and discussion; such work is relevant here and > worth doing. > > In §2.1.2 it has what looks like a copy-paste error, where it labels > Selector 2 as DANE-TA, whereas in both rfc 6698 and the acronyms draft > that is unassigned. Oops. . . Fixing it. > The IPSECA record here is identical to a TLSA except only in name. > If it does not need anything more than TLSA offers, why not just use > TLSA? (Even if the answer is that that is the only way to signal ipsec > vs tls, it needs discussion.) My 0.02 is that having different record types for different protocols gives us very useful flexibility (both if the RRs may need to evolve, and during DNS resolution). It is, on the other hand, interesting that the IPSECA looks this way. It was from wg feedback that we pulled the gateway information out (which the IPSECKEY RR has). There seemed to be a potential MitM attack vector in there. Regardless, I think we want to follow the wg’s direction on these issues. Thanks for the feedback! Eric
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
