On 4/1/20, Paul Wise wrote:
> On Wed, Apr 1, 2020 at 6:01 PM vince@ wrote:
>
>> Did the discussion of continuing support for DANE end??
>
> In case I mislead anyone, a clarification:
>
> Debian itself isn't going to actively work on removing support for
> DANE from anything nor removing our DANE/DNSSEC records.
>
> Support for DANE is never going to happen for the web (given the
> opinions of the major browser makers)
Can you share a reference for that?
I can see browsers not trusting the client DNS since they can't tell
if the client resolver is using DNSSEC or not (ie. they can't tell if
the DANE answer is valid). But now that DOH is supported it seems
like browsers could trust DOH servers that [promise to] do DNSSEC, so
now they could trust DANE?
eg - the firefox DOH server seems to have DNSSEC enabled:
$ curl -H 'accept: application/dns-json' \
'https://mozilla.cloudflare-dns.com/dns-query?name=servfail.sidnlabs.nl&type=a'
{"Status": 2,"TC": false,"RD": true, "RA": true, "AD": false,"CD":
false,"Question":[{"name": "servfail.sidnlabs.nl.", "type":
1}],"Comment": "DNSSEC validation failure. Please check
http://dnsviz.net/d/servfail.sidnlabs.nl/dnssec/"}
so maybe the tlsa answer can be trusted?
$ curl -H 'accept: application/dns-json' \
'https://mozilla.cloudflare-dns.com/dns-query?name=_443._tcp.debian.org&type=tlsa'
{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": true,"CD":
false,"Question":[{"name": "_443._tcp.debian.org.", "type":
52}],"Answer":[{"name": "_443._tcp.debian.org.", "type": 52, "TTL":
600, "data": "3 1 1
5F33491E2B2D267F7BFF096AD0DCB4AE5A22C0BE19DB0AB6728BED942F0719FC"}]}
Thanks,
Lee
