On Sat, 11 Jul 2026, Bill Woodcock wrote:
On Jul 10, 2026, at 16:47, Shumon Huque <[email protected]> wrote:
I am also fairly skeptical about solutions like this being "generally" useful
for client auth, due to the very low penetration of DNSSEC deployment (though it could be
one option amongst a set of solutions that cover a wider range of use cases). The spec
above was designed for specific scenarios where the parties have deployed DNSSEC
infrastructure available. And there is some level of interest (we just got recently
pinged by some Email folks about this).
Agreeing with Shumon,
Everyone doesn’t need a safe at home. But some people do. So we have safes,
and they’re allowed to be in people’s homes.
Everyone doesn’t need security. But some people need security. So I find the
oft-repeated argument that everyone doesn’t need it, so therefore no one should
be allowed to have it, particularly tedious.
Agreed. Also, related to a previous message, we have all the tools we
need to do this. I think that a client cert with a private CA signing the
certs is likely to work better than TLSA (doesn't need DNSSEC, server
check is easier, just look for its own CA) but that's a detail.
For the somewhat similar job of authenticating mail submission, I have 20
year old patches to qmail that do the same thing, look for a client cert
with a private CA signature. We don't need to invent anything.
R's,
John
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]