On Fri, 10 Jul 2026, Philip Homburg wrote:

When will I get DANE requiring DNSSEC support on my mobile devices?

In theory it should be easy. Not that I expect it to happen because there
is no easy way to make money.

Whatever the reason, in practise it means whatever the IETF designs that
needs DNSSEC as client auth isn't going to get deployed.

The trciky part is connecting a real-world identity to this service. But
that is a problem everywhere.

If this is about restricting / auditing a DNS resolver's own clients,
then an organization can just spin up a private X.509 CA.

Once you do it for something global, then yes you get the headaches of
what it means to be a "user". In practise, you would end up with various
other technologies, OAUTH or otherwise, and I think that would make this
effort even less likely to see real world implementation or deployment.

Hence, my believe that just using VPN Access to your DNS server is far
easier a solution and all the technologies are in place to deploy it,
and to only cover DNS.

Paul

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to