as Viktor isn't subscribed to this list I forward his answer... and correct the subject :-)
Andreas
--- Begin Message ---On Tue, Sep 30, 2014 at 02:47:35PM +0200, A. Schulze wrote: > Today I learned from Viktor Dukhovni it's strongly recommended to use TLSA > Records type 3-1-1 ( Selector = SubjectPublicKeyInfo ) That's best practice for the DANE-EE(3) certificate usage. One gains nothing in terms of security with "3 0 1" records. However, not much is lost, just the ability to re-use the TLSA RR when a certificate with *the same* key replaces the old. So largely "3 0 1" is good enough, and not recommended simply because it is never better. Some day "3 1 1" will also work with "raw public keys" (RFC 7250 IIRC), but "3 0 1" will not. > Would it be possible to modify ldns-dane to simply create > the record in a recommended way? So while this is not a major issue, I support the request. -- Viktor. P.S. I'm not subscribed to unbound-users, so you may need to forward this.
--- End Message ---
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
