Confirm
298
edits
Changes
no edit summary
For certificates with a known root of trust, the policy is "The certificate chain must be valid and (the DNSSEC chain must be valid or the domain does not require such additional validation)". Currently there is no mechanism to specify whether or not a domain requires DNSSEC validation. In This case any TLSA certificate type may be used.
== CNAME issues ==
The use of CNAME records introduces complexities into this system that have yet to be ironed out.
== DNSSEC Libraries ==
