On Thu, May 30, 2013 at 12:18 PM, Ben Laurie <[email protected]> wrote:
> The issue is not that the clients can't use DNSSEC, the issue is that > they cannot retrieve DNSSEC records. +1 That is why the place to put the DNSSEC validator is in the DNS server and why we need to change the client to DNS server protocol so that the client can get the authenticated decision of the validator. Hence omnibroker. Omnibroker brokers will probably consume DANE records just like every other piece of data that might affect the trustworthiness of an Internet destination. But once there is a broker in the loop there is no need to worry about latency as the broker can pre-fetch cert status information. In fact we could go back to using CRLs for revocation. [Omnibroker also good for consuming CT data Ben] -- Website: http://hallambaker.com/
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
