[Yeti DNS Discuss] Chain Extension for TLS and the root key
Stephane Bortzmeyer
bortzmeyer at nic.fr
Mon Jul 10 10:34:25 UTC 2017
The IETF draft "A DANE Record and DNSSEC Authentication Chain
Extension for TLS" draft-ietf-tls-dnssec-chain-extension is currently
in Working Group Last Call (ending 12 July).
I'm wondering if it is compatible with "alternative roots": the TLS
server returns all the DNSSEC keys and signatures, from the root to
its own domain. It means the TLS client *must* use the same DNSSEC
root key as the TLS server.
If it cannot work with alternative roots, this is certainly an issue.
More information about the discuss
mailing list