On Tue, 25 Mar 2014, Wouter Verhelst wrote: > > > Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed > > > standard in August 2012[1]. And DNS servers haven't support for them > > > since recently (I'd say 6 months to 1 year). > > > > DNS servers have supported them for years; RFC3597 is over a decade old > > by now. > > RFC3597 does not specify TLSA records, it only specifies how DNS servers > should > handle RRs with unknown (to them) RDATA format. It is essential to allow new > features to be propagated over the DNS network, but it does not necessarily > implement TLSA at the signing zone -- and that, apart from widespread > user agent support, is a pretty critical prerequisite for actually > starting to use DANE.
The claim was that DNS servers didn't support it. All you need is RFC3597 support to add TLSA records to your zone. e.g.: } _443._tcp.www.debian.org. IN TYPE52 \# 35 03010124b4287bf05f884f844373ac21f5afd3f74a31881c907c1e2712248e7ade9ab1 -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `- http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140325065627.gt1...@anguilla.noreply.org