> On Dec 11, 2015, at 12:10 AM, Shumon Huque <[email protected]> wrote:
>
>> Doing incorrect validation of DNSSEC wildcards is not a good idea.
>> These are defaults, that are quite deliberately inapplicable in
>> the presence of real records. If a user has a specific TLSA
>> record for port 443, and a different wildcard covering other ports,
>> attackers MUST NOT be able to substitute the wildcard TLSA RRset
>> for the more specific one for port 443. Do not confuse these
>> with the X.509 wildcards.
>
> I wasn't confusing anything, rather considering ways to avoid the presence of
> NSEC records in the chain, as a possible simplification. Presumably the
> server operator knows what records are in their zone and can judge the risks
> for themselves, but I know it isn't ideal. Another option, also not ideal,
> would be to exclude wildcard TLSA records from using this mechanism.
The server operator may not always be at liberty to ensure that the
TLSA RRset is free of wildcards. This might apply for example in
intramural corporate deployments of services running on a multiple
and perhaps variable ports on a given host.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
