Re: [DNSOP] [Ext] Re: Resolver behaviour with multiple trust anchors
"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 01 November 2017 14:49 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 090BD13FCA8
for <dnsop@ietfa.amsl.com>; Wed, 1 Nov 2017 07:49:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5
tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id PD-vECUapD4J for <dnsop@ietfa.amsl.com>;
Wed, 1 Nov 2017 07:49:35 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 12F5213F588
for <dnsop@ietf.org>; Wed, 1 Nov 2017 07:49:35 -0700 (PDT)
Received: from [10.32.60.145] (50-1-51-141.dsl.dynamic.fusionbroadband.com
[50.1.51.141]) (authenticated bits=0)
by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id vA1Em9iu057962
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <dnsop@ietf.org>; Wed, 1 Nov 2017 07:48:10 -0700 (MST)
(envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host
50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be
[10.32.60.145]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Date: Wed, 01 Nov 2017 07:49:32 -0700
Message-ID: <07D1AE36-25CD-46E5-8550-FF99C0BDEC9F@vpnc.org>
In-Reply-To: <B2622241-C3C6-496B-96C6-6A9FB2DC9926@icann.org>
References: <121CDBC2-D68C-48EE-A56E-46C61FC21538@sidn.nl>
<CAN6NTqxy4SWxsUNZyBA=1TZxdhWtVxaTDYLoA1qO2nKf202g9w@mail.gmail.com>
<20171101121730.esajuad5cefebtgg@vic20.blipp.com>
<B2622241-C3C6-496B-96C6-6A9FB2DC9926@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Mailer: MailMate (1.9.7r5425)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/njdL0vmTyIPjOOfwkgLtFobGJrE>
Subject: Re: [DNSOP] [Ext] Re: Resolver behaviour with multiple trust anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>,
<mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
<mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2017 14:49:36 -0000
On 1 Nov 2017, at 6:48, Edward Lewis wrote: > The reason why I'm digging into this is that "things change." As a recap: this thread started with Moritz quoting from RFC 4035 and asking: > Did we miss something, or is there indeed clarification needed? I believe that RFC 4035 indicates success in any chain means that the validator should mark it as Secure. Mike StJohns pointed out that RFC 6840 gave different guidance. That guidance suggests a default scheme and says that it should be up to validator configuration. RFC 6840, which as the the latest standards-track text on the topic, was published in 2013. If things have changed since 2013, an update to RFC 6840 should be started. --Paul Hoffman
- [DNSOP] Resolver behaviour with multiple trust ... Moritz Muller
- Re: [DNSOP] [Ext] Resolver behaviour with multi... Edward Lewis
- Re: [DNSOP] Resolver behaviour with multiple tr... Paul Hoffman
- Re: [DNSOP] Resolver behaviour with multiple tr... Philip Homburg
- Re: [DNSOP] Resolver behaviour with multiple tr... Ólafur Guðmundsson
- Re: [DNSOP] Resolver behaviour with multiple tr... Paul Wouters
- Re: [DNSOP] Resolver behaviour with multiple tr... Michael StJohns
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Edward Lewis
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Paul Wouters
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Paul Vixie
- Re: [DNSOP] Resolver behaviour with multiple tr... Paul Hoffman
- Re: [DNSOP] Resolver behaviour with multiple tr... Michael StJohns
- Re: [DNSOP] Resolver behaviour with multiple tr... Mark Andrews
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Mark Andrews
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Edward Lewis
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Edward Lewis
- Re: [DNSOP] Resolver behaviour with multiple tr... Patrik Wallstrom
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Edward Lewis
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Paul Hoffman
- Re: [DNSOP] Resolver behaviour with multiple tr... Ólafur Guðmundsson
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Edward Lewis
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Philip Homburg
- Re: [DNSOP] Resolver behaviour with multiple tr... Matt Larson
- Re: [DNSOP] Resolver behaviour with multiple tr... Bob Harold
- Re: [DNSOP] Resolver behaviour with multiple tr... Paul Hoffman
- Re: [DNSOP] Resolver behaviour with multiple tr... Warren Kumari
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Edward Lewis
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Edward Lewis
- Re: [DNSOP] Resolver behaviour with multiple tr... Tony Finch
- Re: [DNSOP] Resolver behaviour with multiple tr... Tony Finch
- Re: [DNSOP] Resolver behaviour with multiple tr... Joe Abley
- Re: [DNSOP] Resolver behaviour with multiple tr... Brian Dickson
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Mark Andrews
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Petr Špaček
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Paul Hoffman
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Petr Špaček
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Paul Hoffman
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Edward Lewis
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Paul Wouters
- Re: [DNSOP] Resolver behaviour with multiple tr... Lanlan Pan
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Edward Lewis
- Re: [DNSOP] [Ext] Re: Resolver behaviour with m... Ólafur Guðmundsson
- Re: [DNSOP] Resolver behaviour with multiple tr... william manning
- Re: [DNSOP] Resolver behaviour with multiple tr... william manning