Re: [TLS] [dane] Consensus Call on draft-ietf-tls-dnssec-chain-extension [AT LEAST (A)]

John Gilmore <> Thu, 12 April 2018 18:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D389012DA0D; Thu, 12 Apr 2018 11:44:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cpa-gtMemx53; Thu, 12 Apr 2018 11:44:54 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 83829126DED; Thu, 12 Apr 2018 11:44:54 -0700 (PDT)
Received: from (localhost.localdomain []) by (8.12.9/8.12.9) with ESMTP id w3CIiqah030722; Thu, 12 Apr 2018 11:44:52 -0700
Message-Id: <>
To: TLS WG <>
In-reply-to: <>
References: <> <>
Comments: In-reply-to Viktor Dukhovni <> message dated "Thu, 12 Apr 2018 14:32:10 -0400."
Date: Thu, 12 Apr 2018 11:44:52 -0700
From: John Gilmore <>
Archived-At: <>
Subject: Re: [TLS] [dane] Consensus Call on draft-ietf-tls-dnssec-chain-extension [AT LEAST (A)]
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Apr 2018 18:44:56 -0000

>   * The present text (Section 8) says:
> 	   Green field applications that are designed to always employ this
>            extension, could of course unconditionally mandate its use.
> Therefore such "green field" applications (presumably some of the ones
> ready to implement now) effectively mandate DNSSEC and TLSA records
> at the server, NOT JUST support for the extension.

Viktor, I believe you have confused a "could" with a "mandate".

The text of this RFC does not require future green field applications
to mandate the use of this exension.  It merely allows them to do so.
None need ever do so.  If any ever did, the future RFC could specify
how servers which do not have validated TLSA records should handle the
situation.  Different future protocols might choose different ways
to handle this (e.g. don't send the extension at all; or send a validated
denial; or send some kind of flag saying that the server doesn't even have
a validated denial because it isn't using DNS or because some domain on
its path to the DNS root isn't doing DNSSEC or isn't using NSECx records).

Please, let this RFC go, rather than requiring that this committee
first insert into it a paper spec for what some future protocol should
do, without even knowing what the future protocol is.