On Fri, Oct 12, 2012 at 09:45:29AM +0100, Tony Finch wrote: > Marc Lampo <[email protected]> wrote: > > Before the draft was adopted as RFC I asked how to cope with proxies. > > Why are proxies a problem for DANE in particular, rather than TLS in > general?
TLS man in the middle proxies are easy to implement with faking certificates (on the fly for local enterprise CA or by obtaining fake certs from well known CAs). With DANE, there is a problem: You need to modify the DNSSEC chain on the fly. So what Marc is asking for is a way to forge DNSSEC answers for legal and illegal purposes, cooperate and secret services. It's sufficent to provide such a system for DANE only. The most obvious solution is to install mandantory DLV in the resolvers, so urging such support for DANE applications. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
