Peter Saint-Andre <[email protected]> wrote: > > I would note that an unsigned TLSA concept would implicitly mandate > > TLS - as such, the right comparison is with XEP-0220 over TLS, > > rather than "vanilla" XEP-0220. > > I'd be curious to hear what Tony or other DNS experts have to say.
I don't think this is a DNS question per se - it's about systems security: trade-offs between the exploitability of various vulnerabilities, the complexity of various (partial) defences, and the deployability of defences. I think there might be an advantage to bypassing the ordering constraint that you have to have DNSSEC before you can have DANE before you can have strong certificate checking. But you have to be careful that you have a clear forward path that leads to a good endpoint and is (preferably) downhill all the way. A related example; OpenSSH uses unsigned SSHFP as a hint to the user, but does not trust them. So there is a precedent, but it is hard to get a human in the loop on s server-to-server connection :-) Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.
