Le 24/03/2014 14:23, Raphael Geissert a écrit : >> Anyway, I strongly recommend that nobody waste their time on an issue >> which in a couple of years will be much less relevant thanks to DANE. > If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped > support for the latter due to the lack of use[1]. > > [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html > Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed standard in August 2012[1]. And DNS servers haven't support for them since recently (I'd say 6 months to 1 year). If I understood correctly, Chromium/Google Chrome only supported DNSSEC validation. The issue with that kind of protocol is that you must trust your resolver, or have a resolver on your machine, bypassing any existing resolver cache of your network provider. However, I'm using DNSSEC Validator[2] on Firefox for quite a long time, and I'm very happy with it. I'll be glad to see it merged, so that we can really get rid of those EV x509 certificates, and be able to provide secure self-hosting solutions for everyone without big scary warnings.
[1]http://tools.ietf.org/html/rfc6698 [2]https://www.dnssec-validator.cz/ Have a good day, Adrien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53303829.4020...@antipoul.fr