On Wed, 29 Jun 2022 at 06:21, Martin Thomson <mt@xxxxxxxxxxxxxx> wrote:
Thanks for the response Med.
On Tue, Jun 28, 2022, at 19:39, mohamed.boucadair@xxxxxxxxxx wrote:
Thanks for the response on DDR. I forgot that was there.
Can you please make DDR a normative reference? It's informative right now.
You missed this piece:
>> Do you have an A/AAAA fallback?
I take it from your answer that this is a "no". I'll take that to the DDR spec though; it's not your problem to deal with.
> [Med] Here is a proposal for discussion:
>
> NEW:
> The client verifies the connection based on PKIX validation [RFC5280]
> of the DNS resolver certificate and uses the validation techniques as
> described in [RFC6125] to compare the authentication domain name
> conveyed in the Encrypted DNS options to the certificate provided
> (see Section 8.1 of [RFC8310] for more details). The client uses by
> default PKIX validation unless configured otherwise.
This looks much better thanks. The last sentence doesn't really say anything new (PKIX validation is required based on the first sentence). I think that you want to say *Web PKI trust anchors* by default.
Sounds good, will update text to say "The client uses Web PKI trust anchors by default unless configured otherwise to use explicit trust anchors".
-Tiru
--
Add mailing list
Add@xxxxxxxx
https://www.ietf.org/mailman/listinfo/add
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
