[Yeti DNS Discuss] 答复: Chain Extension for TLS and the root key
Davey Song(宋林健)
ljsong at biigroup.cn
Tue Jul 11 01:59:44 UTC 2017
IMHO, any protocol or application rely on unique DNS trust anchor will
strengthen the centralized aspect of DNS, not in distributed manner. I
prefer web-based certificate model for my own applications, like multiple
trust anchors.
Davey
> -----邮件原件-----
> 发件人: discuss [mailto:discuss-bounces at lists.yeti-dns.org] 代表 Stephane
> Bortzmeyer
> 发送时间: 2017年7月10日 18:34
> 收件人: discuss at lists.yeti-dns.org
> 主题: [Yeti DNS Discuss] Chain Extension for TLS and the root key
>
> The IETF draft "A DANE Record and DNSSEC Authentication Chain Extension
for
> TLS" draft-ietf-tls-dnssec-chain-extension is currently in Working Group
Last
> Call (ending 12 July).
>
> I'm wondering if it is compatible with "alternative roots": the TLS server
> returns all the DNSSEC keys and signatures, from the root to its own
domain. It
> means the TLS client *must* use the same DNSSEC root key as the TLS
server.
>
> If it cannot work with alternative roots, this is certainly an issue.
> _______________________________________________
> discuss mailing list
> discuss at lists.yeti-dns.org
> http://lists.yeti-dns.org/mailman/listinfo/discuss
More information about the discuss
mailing list