On Feb 3, 2015, at 9:09 AM, Markus Stenberg
<markus(_dot_)stenberg(_at_)iki(_dot_)fi> wrote:
Fair enough; I guess just splitting the dual stack PVDs if encountered
(IPv4+IPv6 -> NATted IPv4 + IPv6 as-is) is sufficient answer to that. As I
personally consider authentication mostly bogus, this is not really a problem
for me :)
To be clear, the authentication we're talking about here, at least generally,
is not intended to assert that the node receiving it can trust it without
question. It merely asserts that the information came from a particular
source, which the node may or may not trust. That's what the text you were
commenting on was for, actually.
So final suggestion - get rid of DANE, get rid of TLS, and probably rework
the text in that paragraph a bit to make it simpler. As-is, both DANE and TLS
mention seem superfluous.
I'm skeptical about this--I think it's good to mention DANE. DNSSEC is in
effect a PKI, but it's quite a bit different than the other common PKI example.
How about "a PKI, for example DNSSEC/DANE or X.509?" That way we don't lose
the mention of DNSSEC, but keep it open to other PKIs.