Closed Bug 672244 Opened 13 years ago Closed 4 years ago

add DNSSEC chain handshake extension to TLS

Categories

(NSS :: Libraries, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: keeler, Unassigned)

References

Details

(Whiteboard: [dnssec])

Attachments

(1 file, 2 obsolete files)

Attached file patch that adds this extension (obsolete) —
Adds simple handling of an experimental handshake extension to TLS.
The client indicates it wishes to see a DNSSEC chain and the server responds with a blob of data.
Blocks: 672239
No longer depends on: 672239
David, please include a link to the specification of the format of the server extension and the format of the client extension. The spec. should be written in a similar way to the specs for other TLS extensions (e.g. http://tools.ietf.org/html/rfc4492#section-5.1.1).
Attached patch patch that adds this extension (obsolete) — Splinter Review
updated patch
Attachment #546559 - Attachment is obsolete: true
Assignee: nobody → dkeeler
FYI, ... my $.02

NSS got burned pretty badly a number of years ago by implementing an Internet 
Draft that had not yet become an RFC, and shipping that in products.  There 
were last minute changes before the RFC was published that necessitated changes
that broke compatibility.  The experience was awful enough that the NSS team 
adopted a policy of not committing changes to the NSS tree branches from which 
real releases come until the change has appeared in an RFC (for protocol changes) or in an official NIST publication (for alg changes).  Note that being in an experimental RFC is OK. 

Please respect that policy in the tree at this time.  If this is still an ID,
do the work on a new branch in CVS, and then it can be merged when the RFC is
published.
Attached patch patchSplinter Review
Latest version of patch.
Attachment #546852 - Attachment is obsolete: true
Comment on attachment 555219 [details] [diff] [review]
patch

Clearing review request until we re-assess how this fits in with our certificate validation improvement plans.
Attachment #555219 - Flags: review?(bsmith)
See Also: → 748232
See Also: 748232
I am not actively working on this.
Assignee: dkeeler → nobody
QA Contact: jjones
Whiteboard: [dnssec]

Please wontfix. Nginx doesn't even do OCSP right. We have DoH, otherwise Trust DNS (Rust library) could be used for local verification.

Not sure about the relation to nginx, but this can be handled as duplicate of bug 672600 or bug 1609835 then.

Meta bug 672239 was wontfixed.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: