MelindaShore
commented
9 years ago Still needs more discussion. From Viktor:
" I think the Section 4 SNI interaction would be a lot cleaner, if SNI is mandatory for clients that use the proposed extension. In which case the server can only respond with a leaf TLSA RRset (and chain of RRSIG/DNSKEY/DS/... records) whose "base domain" ( see section 3 of RFC6698 and soon definition of TLSA base domain in draft-ietf-dane-ops-13 (later this week)). Using some random name for the server's IP address is not a good idea IMHO. PTR records are too often poorly correlated with the client's notion of the target server name."
shuque
Need to add some text requiring the chain lookup on SNI, if available.