>Last time I checked, setting up DNSSEC is still a bit painful. Few >registrars, TMK, support DNSSEC directly. Maybe this has changed.
https://www.icann.org/resources/pages/deployment-2012-02-25-en It's changed somewhat. Some large registrars like Godaddy, Gandi, and Tucows support it, some like NetSol don't. I have about 300 zones on my DNS server, all signed locally, but I've only been able to upload the DS records for half of them. For DANE, application software that supports TLSA and DNSSEC based TLS verification is still pretty thin. Versions of opsnssl with DANE support only became available within the past month. Having said all that, it's still far from clear to me that something other than DANE would work any better, particularly considering how cruddy the CA world is turning out to be. _______________________________________________ Shutup mailing list [email protected] https://www.ietf.org/mailman/listinfo/shutup
