Any administrative procedure that crosses between multiple services in the same organization has always proved to be very hard to pull off. Maybe it should not be that way but that has been the experience.
DNSSEC could in theory just be a command line option to BIND. But putting SSL certs in the zone file requires the admins of the Web server to talk to the people running the DNS. And that proves to be very hard and it also proves to be unreliable. On Tue, Oct 23, 2012 at 1:52 PM, Andrew Sullivan <[email protected]>wrote: > On Tue, Oct 23, 2012 at 10:35:00AM -0700, Rick Andrews wrote: > > > > Yes, but with DANE w/o PKIX I have to trust that the domain owners with > self-signed certs did everything right when generating their keys and > certs, because no one is checking them. > > > > This is a bizarre claim. You seem to be arguing that the TLSA > operation is somehow intriniscally harder than configuring the DNS > correctly or doing DNSSEC. What makes TLSA peculiarly hard? > > Best, > > A > > -- > Andrew Sullivan > [email protected] > _______________________________________________ > therightkey mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/therightkey > -- Website: http://hallambaker.com/
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
