On Mon, Jan 7, 2013 at 3:31 AM, Robin H. Johnson <robb...@gentoo.org> wrote: > Thereafter, I'd also like to deploy DANE and SSH > fingerprints in DNS, and remove our reliance any elements of the CA > chain.
Isn't DANE highly experimental and only supported by a couple of browser plugins? Also, how widespread is client DNSSEC support? E.g., I enabled DNSSEC for my domain, but not sure yet whether DNS resolution anywhere will fail in case DNS responses are spoofed. -- Maxim Kammerer Liberté Linux: http://dee.su/liberte