On Tue, Feb 6, 2018 at 8:25 PM, Matthew Miller <linuxwolf+ietf@xxxxxxxxxxxxxxxx> wrote:
Reviewer: Matthew Miller
Review result: Ready with Nits
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair. Please wait for direction from your
document shepherd or AD before posting a new version of the draft.
For more information, please see the FAQ at
<https://trac.ietf.org/trac/gen/wiki/GenArtfaq >.
Document: draft-ietf-tls-dnssec-chain-extension-06
Reviewer: Matthew A. Miller
Review Date: 2018-02-06
IETF LC End Date: 2018-02-07
IESG Telechat date: 2018-02-08
Summary:
This document is ready, with one issue that I think could benefit
from some clarification.
Major issues:
NONE
Minor issue:
This is more a question, that might warrant some clarification:
In 7. Verification, the last paragraph discusses client-side
caching of the RRsets. If a client has cached the full RRset chain
from TLSA to root RRSIG (and that cache is still viable), is the
client still expected to specify the "dnssec_chain" extension?
In my reading, that does not seem necessary, and I think it might
be worth noting if that is true.
Yes, if the client has cached either the validated TLSA RRset or the
full chain, then it doesn't need to send the dnssec_chain for subsequent
connections.
If it has only cached other portions of the chain, then it needs to.
We can clarify this.
Shumon Huque