On Sun, Jul 26, 2015 at 09:38:02AM -0500, Coyo wrote:
> [ Is running a DANE nameserver for a TLD as complex as running a CA? ]
>
> Or am I fundementally misunderstanding something?
In short no. Firstly, there's no such thing as a "DANE nameserver",
rather there are nameservers authoritative for a DNSSEC signed zone
that happens to include DANE records.
Running a DNSSEC signed zone is not especially complex.
As for the DANE records, if you have so many servers that it makes
to consolidate the various TLSA records into a single trust-anchor
record, and issue the servers certificates signed by that trust
anchor, then you're running a CA, which is as complex as running
a CA (whatever that means).
If on the other hand the number of servers to manage is small
enough, or you have simplified the coordination of server certificates
with the publication of corresponding TLSA (or other DANE) records,
then it is not like running a CA, but rather like running a public
key whitepages service.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
