On Sat, 11 Jul 2026, Bill Woodcock wrote:
On Jul 10, 2026, at 16:47, Shumon Huque <[email protected]> wrote:
 I am also fairly skeptical about solutions like this being "generally" useful 
for client auth, due to the very low penetration of DNSSEC deployment (though it could be 
one option amongst a set of solutions that cover a wider range of use cases). The spec 
above was designed for specific scenarios where the parties have deployed DNSSEC 
infrastructure available. And there is some level of interest (we just got recently 
pinged by some Email folks about this).

Agreeing with Shumon,

Everyone doesn’t need a safe at home.  But some people do.  So we have safes, 
and they’re allowed to be in people’s homes.

Everyone doesn’t need security.  But some people need security.  So I find the 
oft-repeated argument that everyone doesn’t need it, so therefore no one should 
be allowed to have it, particularly tedious.

Agreed. Also, related to a previous message, we have all the tools we need to do this. I think that a client cert with a private CA signing the certs is likely to work better than TLSA (doesn't need DNSSEC, server check is easier, just look for its own CA) but that's a detail.

For the somewhat similar job of authenticating mail submission, I have 20 year old patches to qmail that do the same thing, look for a client cert with a private CA signature. We don't need to invent anything.

R's,
John

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to