On Mon, Apr 20, 2015 at 07:50:51AM -0700, Brian Haberman wrote:
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> * The reference to Section 4 of draft-ietf-dane-smtp-with-dane in the
> Note within section 3.1 seems out-of-date.
Don't know how that became section 4, this was a reference to
section 2.1 in version 12 (previous) of the draft, which was
correct.
> * The intro to Section 3.2 says "A and/or AAAA", but the first two
> bullets in the list seems to assume that both A and AAAA lookups are
> performed.
Some clients only have IPv4 connectivity, and will only make A
queries. Other clients only have IPv6 connectivity and will only
make AAAA queries, some will perform both.
The client avoids TLSA queries when none of the address records it
found were secure. In practice since the A and AAAA records belong
to the same "owner", it would be very surprising if they had a
different security status.
The only way that happens is if the cached DS RRset (or negative
entry) expires from the cache between the two queries, and the
zone's DNSSEC status changed since last queried.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
