[dane] How to Reduce Multiple TA/CA "2 s m"/"0 s m" Or Same C_A_D TLSAs Using Wildcard TLSA

Tue, 25 Jun 2013 08:42:51 -0700 

When specifying multiple DANE TLSA records for various TLS / SSL
supported encrypted communication:

Then, if each service port has Two TLSAs, where, one "TLSA 2 s m"
(or one "TLSA 0 s m") RR is for declaring Root-CA or TA TLS/SSL
cert, and, another "TLSA 1 s m" (or one "TLSA 3 s m") is for
declaring EE/Server TLS/SSL cert.

Then, it results into lot of same "TLSA 2 s m" (or "TLSA 0 s m") RR
for all those services/ports.

And, if only one TLSA is declared for each service/port, even then,
it results into lot of exact same C_A_D.

What can be done to reduce it ?

C_A_D = Certificate Association Data.
SLD = Second/2nd Level Domain.
TLD = Top Level Domain.
[x] = The portion inside 3rd-Brace is optional. Depends on user's
own preferences.
TTL = Time To Live.
[host.] = Third/3rd Level Domain / Service Domain / Hostname.
EE = End Entity. Here, its used to indicate toward a service in a
server.
IA = Intermediate Authority.
CA = Certificate Authority.
TA = Trust Anchor.

I see RFC 6698 Section A.2.1.3. (Provisioning TLSA Records with
Wildcards) showing common location can be

*._tcp.host.SLD.TLD. IN TLSA u s m C_A_D

It can also be written like these:

_port._proto.[host.]SLD.TLD. [TTL] IN TLSA u s m C_A_D
*._proto.[host.]SLD.TLD. [TTL] IN TLSA u s m C_A_D

And such TLS / SSL cert chain is in use:

EE/Server <-- IA <-- CA/TA.
or,
Level-0 <- Level-1 <- Level-2.
or,
EE/Server {s1, s2, im1, im2, www, m} <-- IA (domA.tld) <-- CA/TA
(Root-CA).

A zone file:

domA.tld. 3600 IN SOA s1.domA.tld. hostmaster.domA.tld. 2013052910
18000 3600 864000 3600
domA.tld. 3000 IN NS s1.domA.tld.
domA.tld. 3000 IN NS s2.domA.tld.
domA.tld. 300 IN A    IP.ADRS_S-1_IPv4
domA.tld. 300 IN A    IP.ADRS_S-2_IPv4
domA.tld. 300 IN A    IP.ADRS_S-IM-1_IPv4
domA.tld. 300 IN A    IP.ADRS_S-IM-2_IPv4
domA.tld. 300 IN AAAA IP::ADRS_S-1_IPv6
domA.tld. 300 IN AAAA IP::ADRS_S-2_IPv6
domA.tld. 300 IN AAAA IP::ADRS_S-IM-1_IPv6
domA.tld. 300 IN AAAA IP::ADRS_S-IM-2_IPv6
s1.domA.tld. 900 IN A    IP.ADRS_S-1_IPv4
s2.domA.tld. 900 IN A    IP.ADRS_S-2_IPv4
im.domA.tld. 900 IN A    IP.ADRS_S-IM-1_IPv4
im2.domA.tld. 900 IN A    IP.ADRS_S-IM-2_IPv4
s1.domA.tld. 900 IN AAAA IP::ADRS_S-1_IPv6
s2.domA.tld. 900 IN AAAA IP::ADRS_S-2_IPv6
im.domA.tld. 900 IN AAAA IP::ADRS_S-IM-1_IPv6
im2.domA.tld. 900 IN AAAA IP::ADRS_S-IM-2_IPv6
www.domA.tld. 300 IN CNAME domA.tld.
m.domA.tld. 300 IN CNAME domA.tld.
_http._tcp.domA.tld. 3600 IN SRV 0 0 80 www.domA.tld.
_https._tcp.domA.tld. 3600 IN SRV 0 0 443 www.domA.tld.
_http._tcp.www.domA.tld. 3600 IN SRV 0 0 80 www.domA.tld.
_https._tcp.www.domA.tld. 3600 IN SRV 0 0 443 www.domA.tld.
_http._tcp.m.domA.tld. 3600 IN SRV 0 0 80 m.domA.tld.
_https._tcp.m.domA.tld. 3600 IN SRV 0 0 443 m.domA.tld.
domA.tld. 3600 IN MX 10 s1.domA.tld.
domA.tld. 3600 IN MX 20 s2.domA.tld.
_smtp._tcp.domA.tld. 3600 IN SRV 10 0 25 s1.domA.tld.
_smtp._tcp.domA.tld. 3600 IN SRV 20 0 25 s2.domA.tld.
_smtp._tcp.s1.domA.tld. 3600 IN SRV 10 0 25 s1.domA.tld.
_smtp._tcp.s1.domA.tld. 3600 IN SRV 20 0 25 s2.domA.tld.
_smtp._tcp.s2.domA.tld. 3600 IN SRV 10 0 25 s2.domA.tld.
_smtp._tcp.s2.domA.tld. 3600 IN SRV 20 0 25 s1.domA.tld.
_submission._tcp.domA.tld. 3600 IN SRV 10 0 587 s1.domA.tld.
_submission._tcp.domA.tld. 3600 IN SRV 20 0 587 s2.domA.tld.
_submission._tcp.s1.domA.tld. 3600 IN SRV 10 0 587 s1.domA.tld.
_submission._tcp.s1.domA.tld. 3600 IN SRV 20 0 587 s2.domA.tld.
_submission._tcp.s2.domA.tld. 3600 IN SRV 10 0 587 s2.domA.tld.
_submission._tcp.s2.domA.tld. 3600 IN SRV 20 0 587 s1.domA.tld.
_imaps._tcp.domA.tld. 1200 IN SRV 0 0 993 s1.domA.tld.
_imaps._tcp.domA.tld. 1200 IN SRV 5 0 993 s2.domA.tld.
_imaps._tcp.s1.domA.tld. 1200 IN SRV 0 0 993 s1.domA.tld.
_imaps._tcp.s1.domA.tld. 1200 IN SRV 5 0 993 s2.domA.tld.
_imaps._tcp.s2.domA.tld. 1200 IN SRV 0 0 993 s2.domA.tld.
_imaps._tcp.s2.domA.tld. 1200 IN SRV 5 0 993 s1.domA.tld.
_pops._tcp.domA.tld. 1200 IN SRV 0 0 995 s1.domA.tld.
_pops._tcp.domA.tld. 1200 IN SRV 5 0 995 s2.domA.tld.
_pops._tcp.s1.domA.tld. 1200 IN SRV 0 0 995 s1.domA.tld.
_pops._tcp.s1.domA.tld. 1200 IN SRV 5 0 995 s2.domA.tld.
_pops._tcp.s2.domA.tld. 1200 IN SRV 0 0 995 s2.domA.tld.
_pops._tcp.s2.domA.tld. 1200 IN SRV 5 0 995 s1.domA.tld.
; Skipping SMTP (Port 26) based 3rd email-server.
_xmpp-client._tcp.domA.tld. 900 IN SRV 0 0 5222 im.domA.tld.
_xmpp-client._tcp.domA.tld. 900 IN SRV 1 0 5222 im2.domA.tld.
_xmpp-client._tcp.domA.tld. 900 IN SRV 2 0 15222 im.domA.tld.
_xmpp-client._tcp.domA.tld. 900 IN SRV 3 0 15222 im2.domA.tld.
_xmpp-client._tcp.im.domA.tld. 900 IN SRV 0 0 5222 im.domA.tld.
_xmpp-client._tcp.im.domA.tld. 900 IN SRV 1 0 15222 im.domA.tld.
_xmpp-client._tcp.im.domA.tld. 900 IN SRV 2 0 5222 im2.domA.tld.
_xmpp-client._tcp.im.domA.tld. 900 IN SRV 3 0 15222 im2.domA.tld.
_xmpp-client._tcp.im2.domA.tld. 900 IN SRV 0 0 5222 im2.domA.tld.
_xmpp-client._tcp.im2.domA.tld. 900 IN SRV 1 0 15222 im2.domA.tld.
_xmpp-client._tcp.im2.domA.tld. 900 IN SRV 2 0 5222 im.domA.tld.
_xmpp-client._tcp.im2.domA.tld. 900 IN SRV 3 0 15222 im.domA.tld.
_xmpp-server._tcp.domA.tld. 1800 IN SRV 0 0 5269 im.domA.tld.
_xmpp-server._tcp.domA.tld. 1800 IN SRV 1 0 5269 im2.domA.tld.
_xmpp-server._tcp.domA.tld. 1800 IN SRV 2 0 15269 im.domA.tld.
_xmpp-server._tcp.domA.tld. 1800 IN SRV 3 0 15269 im2.domA.tld.
_xmpp-server._tcp.im.domA.tld. 1800 IN SRV 0 0 5269 im.domA.tld.
_xmpp-server._tcp.im.domA.tld. 1800 IN SRV 1 0 15269 im.domA.tld.
_xmpp-server._tcp.im.domA.tld. 1800 IN SRV 2 0 5269 im2.domA.tld.
_xmpp-server._tcp.im.domA.tld. 1800 IN SRV 3 0 15269 im2.domA.tld.
_xmpp-server._tcp.im2.domA.tld. 1800 IN SRV 0 0 5269 im2.domA.tld.
_xmpp-server._tcp.im2.domA.tld. 1800 IN SRV 1 0 15269 im2.domA.tld.
_xmpp-server._tcp.im2.domA.tld. 1800 IN SRV 2 0 5269 im.domA.tld.
_xmpp-server._tcp.im2.domA.tld. 1800 IN SRV 3 0 15269 im.domA.tld.
; And multiple SIP services are configured
; similar to above XMPP services.
_sip._tcp.domA.tld. 1200 IN SRV 0 0 5060 im.domA.tld.
_sip._tcp.domA.tld. 1200 IN SRV 1 0 5060 im2.domA.tld.
_sip._tcp.domA.tld. 1200 IN SRV 2 0 15060 im.domA.tld.
_sip._tcp.domA.tld. 1200 IN SRV 3 0 15060 im2.domA.tld.
_sips._tcp.domA.tld. 1200 IN SRV 0 0 5061 im.domA.tld.
_sips._tcp.domA.tld. 1200 IN SRV 1 0 5061 im2.domA.tld.
_sips._tcp.domA.tld. 1200 IN SRV 2 0 15061 im.domA.tld.
_sips._tcp.domA.tld. 1200 IN SRV 3 0 15061 im2.domA.tld.
; Skipping rest of SIP related SRV declarations.
_irc._tcp.domA.tld. 1800 IN SRV 0 0 6667 im.domA.tld.
_irc._tcp.domA.tld. 3600 IN SRV 1 0 6667 im2.domA.tld.
_irc._tcp.domA.tld. 3600 IN SRV 2 0 6669 im.domA.tld.
_irc._tcp.domA.tld. 3600 IN SRV 3 0 6669 im2.domA.tld.
_irc._tcp.im.domA.tld. 1800 IN SRV 0 0 6667 im.domA.tld.
_irc._tcp.im.domA.tld. 3600 IN SRV 1 0 6669 im.domA.tld.
_irc._tcp.im.domA.tld. 3600 IN SRV 2 0 6667 im2.domA.tld.
_irc._tcp.im.domA.tld. 3600 IN SRV 3 0 6669 im2.domA.tld.
_irc._tcp.im2.domA.tld. 1800 IN SRV 0 0 6667 im2.domA.tld.
_irc._tcp.im2.domA.tld. 3600 IN SRV 1 0 6669 im2.domA.tld.
_irc._tcp.im2.domA.tld. 3600 IN SRV 2 0 6667 im.domA.tld.
_irc._tcp.im2.domA.tld. 3600 IN SRV 3 0 6669 im.domA.tld.
; Skipping rest of IRC related SRV declarations.;
; RRSIGs are not mentioned, but they exist when DNSSEC signed.

Here, "im" & "im2" both host are running same software based
services, on multiple ports, for slightly better traffic handling,
for slightly better QoS, and for load-balancing, and to overcome few
other software limitations.

What is the secure port 5223's service name ? of _xmpp-client (Port
5222).

What is the secure port 6697's service name ? of _irc (Port 6667).

So, instead of specifying TLSA for same TA crt like this example, in
a zone file:

_443._tcp.www.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
_443._tcp.www.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_www_domA_srvr-crt
_443._tcp.m.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
_443._tcp.m.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_m_domA_srvr-crt
_25._tcp.s1.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
_25._tcp.s1.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_s1_domA_srvr-crt
_25._tcp.s2.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
_25._tcp.s2.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_s2_domA_srvr-crt
_587._tcp.s1.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
_587._tcp.s1.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_s1_domA_srvr-crt
_587._tcp.s2.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
_587._tcp.s2.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_s2_domA_srvr-crt
_993._tcp.s1.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
_993._tcp.s1.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_s1_domA_srvr-crt
_993._tcp.s2.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
_993._tcp.s2.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_s2_domA_srvr-crt
_5223._tcp.im.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_5223._tcp.im.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_15223._tcp.im.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_15223._tcp.im.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_5223._tcp.im2.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_5223._tcp.im2.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_15223._tcp.im2.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_15223._tcp.im2.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_5269._tcp.im.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_5269._tcp.im.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_15269._tcp.im.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_15269._tcp.im.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_5269._tcp.im2.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_5269._tcp.im2.domA.tld. 900 IN TLSA 1 0 0 C_A_D_of_im_domA_srvr-crt
_15269._tcp.im2.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_15269._tcp.im2.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_5061._tcp.im.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_5061._tcp.im.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_15061._tcp.im.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_15061._tcp.im.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_5061._tcp.im2.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_5061._tcp.im2.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_15061._tcp.im2.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_15061._tcp.im2.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_6697._tcp.im.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_6697._tcp.im.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_6699._tcp.im.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_6699._tcp.im.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_6697._tcp.im2.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_6697._tcp.im2.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_6699._tcp.im2.domA.tld. 900 IN TLSA 2 0 1 C_A_D_of_TA-crt
_6699._tcp.im2.domA.tld. 900 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt

= 48 lines.

(Practical/real servers, which uses service location dns SRV
declarations, for running multiple services on same machine, or,
pointing toward multiple services on different machines, have much
more such service ports, and will result into declaring same C_A_D
again and again).

Can those be implemented in common location like this (alternative)
example ?

*._tcp.www.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
_443._tcp.www.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_www_domA_srvr-crt
*._tcp.m.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
_443._tcp.m.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_m_domA_srvr-crt
*._tcp.s1.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
_25._tcp.s1.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_mail_domA_srvr-crt
_587._tcp.s1.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_mail_domA_srvr-crt
_993._tcp.s1.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_mail_domA_srvr-crt
*._tcp.s2.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
_25._tcp.s2.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_mail_domA_srvr-crt
_587._tcp.s2.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_mail_domA_srvr-crt
_993._tcp.s2.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_mail_domA_srvr-crt
*._tcp.im.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
_6697._tcp.im.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_6699._tcp.im.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_5223._tcp.im.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_15223._tcp.im.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_5269._tcp.im.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_15269._tcp.im.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_5061._tcp.im.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_15061._tcp.im.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
*._tcp.im2.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
_6697._tcp.im2.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_6699._tcp.im2.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_5223._tcp.im2.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_15223._tcp.im2.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_5269._tcp.im2.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_15269._tcp.im2.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_5061._tcp.im2.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt
_15061._tcp.im2.domA.tld. 360 IN TLSA 1 0 2 C_A_D_of_im_domA_srvr-crt

= 30 lines.

And here, "im" host is using only one EE/Server TLS/SSL cert for its
all encrypted services, (and so is "im2", "s1", "s2", "www" hosts),
so can we reduce TLSA DNS declarations even further, like this ?

*._tcp.www.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
*._tcp.www.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_www_domA_srvr-crt
*._tcp.m.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
*._tcp.m.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_m_domA_srvr-crt
*._tcp.s1.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
*._tcp.s1.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_s1_domA_srvr-crt
*._tcp.s2.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
*._tcp.s2.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_s2_domA_srvr-crt
*._tcp.im.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
*._tcp.im.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_im_domA_srvr-crt
*._tcp.im2.domA.tld. 360 IN TLSA 2 0 1 C_A_D_of_TA-crt
*._tcp.im2.domA.tld. 360 IN TLSA 1 0 0 C_A_D_of_im2_domA_srvr-crt

= 12 lines.

Here "TLSA 1 s m" EE is used (instead of "TLSA 3 s m" EE), to
instruct/indicate client-side, that they must check full TLS/SSL
chain for this EE/Server TLS/SSL cert, (if client's user also have
similar preference settings).

(Based on my own limited understanding in this/these case), One of
the way to say it, or, domain-owner is trying to say in this case :
Hey TLSA/DANE-aware clients, first get EE/server TLS-cert, for
example, for port 5223, from "TLSA 1 s m" DNS record and also from
server's TLS secured port 5223, if it is a EE/Servr cert under
another Root-CA or Intermediate cert, then in second-step,  check
at-first, if the same port (5223) have a "TLSA 2 s m" TA RR or a
"TLSA 0 s m" CA RR present or not ? If yes/present, check validity
of "TLSA 1 s m" based EE/Servr TLS cert and its chain,  But if same
port (5223) does not have a "TLSA 2 s m" or "TLSA 0 s m", then check
in-second, for a TLSA in common location like
"*._tcp.host.domain.tld." or in "*._tcp.domain.tld.", if found,
check validity of Root-CA/TA/IA TLS-cert, and the EE TLS cert under
it nad also check validity of TLS cert chain. And then on success,
finally use EE/Servr TLS cert for encrypted communication for port
5223 based XMPP service.

So my understanding, it will work, or be effective, only when
DANE/TLSA-aware clients supports such/similar logic based
provisional checking (or wildcard based checking).

Is wildcard TLSA yet supported by any client-side ?

Do "Extended DNSSEC Validator" addon for Firefox, or, Bloodhound
browser (based on Firefox) understands & uses it (wildcard TLSA) to
create TLS/SSL encrypted communication ? or, can they even use
wildcard TLSA and DANE-logics/protocols yet ?

Or, should i add nameserver functionality in each server, like "im1"
and "im2" as well ? (like "s1" & "s2") and then define only "im" or
"im2" sub-domain zone file with related DNS RR set only ? then main
zone file's DNS rr can be reduced. And if wanted, wilcard usage can
be avoided.

Or, what alternative solution exist ?

Please point out mistakes, errors, and, specify what is correct.

Thanks in advance.
-- Bright Star.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane

Reply via email to