On Fri, Apr 17, 2015 at 12:47:45PM -0400, Olafur Gudmundsson wrote: > > On Apr 16, 2015, at 2:28 PM, Stephen Farrell <stephen.farr...@cs.tcd.ie> > > wrote: > > On 16/04/15 18:37, Viktor Dukhovni wrote: > >> On Thu, Apr 16, 2015 at 04:27:33PM +0100, Stephen Farrell wrote: > >>> (1) What is the behaviour when all RRs required for this are > >>> published except for no DNSSEC RRs? I have heard tell of some > >>> people who would like to experiment in that way, and would > >>> like to know if the WG have a clear answer for them as to > >>> what ought happen. Is that answer here? (If so, it's fairly > >>> well hidden;-) > >> > >> The specified and implemented (Postfix and Exim) behaviour is that > >> the records are ignored when not "secure". Thus DNSSEC is a > >> prerequisite. Opportunistic TLS happens anyway (even without TLSA > >> record validation), so it is not clear why one would bother with > >> incomplete (easily defeated) attempts at protecting against active > >> attacks. > > > > My understanding is that some people wanted to experiment with TLSA > > without having to have had DNSSEC deployed. But I take your answer > > to be that no such behaviour is defined here, which is fine. So > > consider this one answered. > > Stephen, I want to remind you of the conversations we had before and > after the IETF meeting in Tapei, when this topic was going in circles. > Conclusion of discussion: DANE REQUIRES DNSSEC <full stop>
+1 > if someone wants to publish TLSA records w/o DNSSEC that can work in > their environment but it is not going to be globally visible. There's nothing wrong when unsigned TLSA RRSets being publicly visible. What's wrong is shipping code that uses unsigned TLSA RRSets. To test, I'd use a recursive, validating server, and prime its cache (or the stub resolver's). Done. Nico -- _______________________________________________ dane mailing list dane@ietf.org https://www.ietf.org/mailman/listinfo/dane
