[Yeti DNS Discuss] Chain Extension for TLS and the root key

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Jul 10 10:34:25 UTC 2017

The IETF draft "A DANE Record and DNSSEC Authentication Chain
Extension for TLS" draft-ietf-tls-dnssec-chain-extension is currently
in Working Group Last Call (ending 12 July).

I'm wondering if it is compatible with "alternative roots": the TLS
server returns all the DNSSEC keys and signatures, from the root to
its own domain. It means the TLS client *must* use the same DNSSEC
root key as the TLS server.

If it cannot work with alternative roots, this is certainly an issue.

More information about the discuss mailing list