On 21/06/13 17:41, Olle E. Johansson wrote:
21 jun 2013 kl. 15:05 skrev Daniel Pocock daniel@pocock.com.au:
- The config uses DNS to establish the transport available on the
remote proxy. It doesn't use DNSSEC to do this.
I'm not sure if DNSSEC matters if the TLS certificate is valid - some people may prefer to trust the TLS cert and not place any trust in the DNSSEC trust model
THat's quite a misguided statement. If DNS points to an incorrect destination that succeeds in providing a certificate that you accept - how can that be a good solution?
It is a relative level of trust (there is no 100% trust)
If the cert is signed by your private root CA you may trust it more than the DNSSEC trust anchor from ICANN.