On Sun, 26 Jul 2015 15:18:11 +0000 Viktor Dukhovni <[email protected]> wrote:
> On Sun, Jul 26, 2015 at 09:38:02AM -0500, Coyo wrote: > > > [ Is running a DANE nameserver for a TLD as complex as running a CA? ] > > > > Or am I fundementally misunderstanding something? > > In short no. Firstly, there's no such thing as a "DANE nameserver", > rather there are nameservers authoritative for a DNSSEC signed zone > that happens to include DANE records. > > Running a DNSSEC signed zone is not especially complex. > > As for the DANE records, if you have so many servers that it makes > to consolidate the various TLSA records into a single trust-anchor > record, and issue the servers certificates signed by that trust > anchor, then you're running a CA, which is as complex as running > a CA (whatever that means). > > If on the other hand the number of servers to manage is small > enough, or you have simplified the coordination of server certificates > with the publication of corresponding TLSA (or other DANE) records, > then it is not like running a CA, but rather like running a public > key whitepages service. > > -- > Viktor. Thank you, that was helpful. I greatly appreciate your wisdom. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
