On Fri, Feb 27, 2026 at 04:26:26AM -0800, Benno Overeinder via Datatracker <[email protected]> wrote a message of 38 lines which said:
> This message starts a WG Last Call for: > draft-ietf-dnsop-structured-dns-error-17 Issue in section 3 : "During the TLS handshake, the on-path network security device modifies the certificate provided by the server and (re)signs it using the private key from the local root certificate." I simply do not understand this sentence. If, as said at the beginning of the paragraph, "The DNS response is forged to provide a list of IP addresses that points to an HTTP(S) server", there is no need to modify the certificate, the TLS handshake is done entirely with the "security device". The entire paragraph is messy, anyway, if the DNS serves forged answers, the "security device" does not even need to be on-path (unlike what the current text says). Also, some small details: Section 10.2 "Further, clients MUST NOT display the value of the "o" field to the end-user unless one of the following conditions is met:" The example in section 8 apparently does not meet any of these conditions. Section 1 "and additionally for parental control" Parental control was already mentioned in the same paragraph. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
