On 10/23/2012 02:21 PM, Phillip Hallam-Baker wrote: > DNSSEC could in theory just be a command line option to BIND. But putting > SSL certs in the zone file requires the admins of the Web server to talk to > the people running the DNS. And that proves to be very hard and it also > proves to be unreliable.
Putting IP addresses into the zone file also requires the admins of the
web server to talk to the people running the DNS, but most people
somehow manage to get it done. Those who don't, don't have a working
web server, because people can't find it on the 'net.
By extension, if DANE works, then those same web server admins who
somehow figured out how to communicate their IP addresses to the DNS
admins will also figure out how to communicate their public keys to
those same DNS admins. Those who don't, don't have a working HTTPS
server, because people with DANE-enabled clients won't be able to
connect to it.
I'm not saying DANE is a perfect solution (i particularly don't like the
concentration of hierarchical power represented by the DNS), but the
objections raised here recently are pretty underwhelming.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
