On Fri, 12 Feb 2016, Dan York wrote:
... that is certainly another answer and perhaps much simpler and easier. Put
the exact RFC 7469 HPKP header ( https://tools.ietf.org/html/rfc7469 ) in DNS
as a resource record and
then sign that with DNSSEC.
Has anyone ever taken a look at whether that (putting the HPKP header into DNS)
would be something reasonable to do?
If you are using the http server to send the key info, why not just send
the TLSA RRset as an option? We already have a draft for that:
https://tools.ietf.org/html/draft-shore-tls-dnssec-chain-extension-02
Given that this would not be with the TLSA record
I don't see why not to use the TLSA record. Its existence basically
means "MUST do TLS with this key, hard fail otherwise".
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
