Telechat Review of draft-ietf-tls-dnssec-chain-extension-06

Request Review of draft-ietf-tls-dnssec-chain-extension
Requested rev. no specific revision (document currently at 07)
Type Telechat Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2018-02-06
Requested 2018-01-25
Authors Melinda Shore, Richard Barnes, Shumon Huque, Willem Toorop
Draft last updated 2018-02-06
Completed reviews Genart Telechat review of -06 by Matthew Miller (diff)
Assignment Reviewer Matthew Miller 
State Completed
Review review-ietf-tls-dnssec-chain-extension-06-genart-telechat-miller-2018-02-06
Reviewed rev. 06 (document currently at 07)
Review result Ready with Nits
Review completed: 2018-02-06


I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair. Please wait for direction from your
document shepherd or AD before posting a new version of the draft.

For more information, please see the FAQ at


Document: draft-ietf-tls-dnssec-chain-extension-06
Reviewer: Matthew A. Miller
Review Date: 2018-02-06
IETF LC End Date: 2018-02-07
IESG Telechat date: 2018-02-08


This document is ready, with one issue that I think could benefit
from some clarification.

Major issues:


Minor issue:

This is more a question, that might warrant some clarification:
In 7. Verification, the last paragraph discusses client-side
caching of the RRsets. If a client has cached the full RRset chain
from TLSA to root RRSIG (and that cache is still viable), is the
client still expected to specify the "dnssec_chain" extension?

In my reading, that does not seem necessary, and I think it might
be worth noting if that is true.

Nits/editorial comments: