[Yeti DNS Discuss] Chain Extension for TLS and the root key

Daniel Stirnimann daniel.stirnimann at switch.ch
Mon Jul 10 15:14:08 UTC 2017

It probably does not work for people who make up their own internally
used TLD e.g. local. Even if these people sign "local." with their own
key and use the trusted-keys (BIND statement) on the resolver it will
never be known by a TLS client.


On 10/07/17 12:34, Stephane Bortzmeyer wrote:
> The IETF draft "A DANE Record and DNSSEC Authentication Chain
> Extension for TLS" draft-ietf-tls-dnssec-chain-extension is currently
> in Working Group Last Call (ending 12 July).
> I'm wondering if it is compatible with "alternative roots": the TLS
> server returns all the DNSSEC keys and signatures, from the root to
> its own domain. It means the TLS client *must* use the same DNSSEC
> root key as the TLS server.
> If it cannot work with alternative roots, this is certainly an issue.

More information about the discuss mailing list