On Mon, Mar 24, 2014 at 02:58:55PM +0100, Peter Palfrader wrote: > On Mon, 24 Mar 2014, Adrien CLERC wrote: > > > Le 24/03/2014 14:23, Raphael Geissert a écrit : > > >> Anyway, I strongly recommend that nobody waste their time on an issue > > >> which in a couple of years will be much less relevant thanks to DANE. > > > If only people actually used DNSSEC and DANE - Chromium/Google Chrome > > > dropped > > > support for the latter due to the lack of use[1]. > > > > > > [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html > > > > > Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed > > standard in August 2012[1]. And DNS servers haven't support for them > > since recently (I'd say 6 months to 1 year). > > DNS servers have supported them for years; RFC3597 is over a decade old > by now.
RFC3597 does not specify TLSA records, it only specifies how DNS servers should handle RRs with unknown (to them) RDATA format. It is essential to allow new features to be propagated over the DNS network, but it does not necessarily implement TLSA at the signing zone -- and that, apart from widespread user agent support, is a pretty critical prerequisite for actually starting to use DANE. -- This end should point toward the ground if you want to go to space. If it starts pointing toward space you are having a bad problem and you will not go to space today. -- http://xkcd.com/1133/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140324232856.ga12...@grep.be