Thanks for the response Med. On Tue, Jun 28, 2022, at 19:39, mohamed.boucadair@xxxxxxxxxx wrote: Thanks for the response on DDR. I forgot that was there. Can you please make DDR a normative reference? It's informative right now. You missed this piece: >> Do you have an A/AAAA fallback? I take it from your answer that this is a "no". I'll take that to the DDR spec though; it's not your problem to deal with. > [Med] Here is a proposal for discussion: > > NEW: > The client verifies the connection based on PKIX validation [RFC5280] > of the DNS resolver certificate and uses the validation techniques as > described in [RFC6125] to compare the authentication domain name > conveyed in the Encrypted DNS options to the certificate provided > (see Section 8.1 of [RFC8310] for more details). The client uses by > default PKIX validation unless configured otherwise. This looks much better thanks. The last sentence doesn't really say anything new (PKIX validation is required based on the first sentence). I think that you want to say *Web PKI trust anchors* by default. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
