On Mon, Jul 28, 2014 at 3:15 PM, Ben Laurie <[email protected]> wrote: > Two points: > > 1. In the limit, is there really a noticable difference between doing > transparency for DANE and doing transparency for all of DNSSEC? > > 2. DNSSEC surely exists for reasons other than to secure TLSA records. > I therefore don't buy that there's no point to making the rest of > DNSSEC transparent. > > Which is not to say that a DANE-specific transparency project isn't > worth pursuing, but I don't think doing so removes the value of a > general DNSSEC transparency project.
+1 Unless DANE is bjorked, it should be easier to apply DANE to the DNSSEC system and then DANE rather than just DANE/TLS. The only advantage to doing it piecemeal is that you have more wiggle room. Which is very useful when dealing with an infrastructure like SMTP where the biggest problem you always face is the deployed legacy base. Using wiggle room when you shouldn't need it is going to result in a spec that is stovepiped to one application and will be very hard to port to anything else. On top of which, DANE's achilles heel is the problem of deployment. Getting all the folk who need to move in one direction is really hard. We will have a functioning TRANS system operational long before DNSSEC. So using TRANS as leverage to deploy DNSSEC makes a lot more sense than waiting around. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
