Hello DNSSEC Validator Team, Recently, I uploaded a draft to the IETF with the goal of furthering the adoption of DANE. https://datatracker.ietf.org/doc/draft-cem-dane-assertion
The method is to use a “Dane-Validation-Assertion” header or DVA header. I envision this as working as follows: A site sends the DVA header to a browser that tells the browser the browser will then do a lookup over DNSSEC for a TLSA (DANE) record to perform additional validations on the certificate. I'd appreciate your feedback on this draft, I think that this could definitely improve the performance of your validator allowing it to skip sites that will never (at least in the near term) have DANE and concentrate on the sites that do include it. If you add support for DVA, then I believe an announcement and coordination with site operators could allow them to roll out this header (or be included in the preloaded list as described in the draft). Thank you for your consideration, Carl Mehner
_______________________________________________ dnssec-validator-users mailing list [email protected] https://lists.nic.cz/cgi-bin/mailman/listinfo/dnssec-validator-users
