On Mon, Jan 07, 2013 at 04:34:09PM +0200, Maxim Kammerer wrote: > On Mon, Jan 7, 2013 at 3:31 AM, Robin H. Johnson <robb...@gentoo.org> wrote: > > Thereafter, I'd also like to deploy DANE and SSH > > fingerprints in DNS, and remove our reliance any elements of the CA > > chain. > Isn't DANE highly experimental and only supported by a couple of > browser plugins? RFCs so far: http://tools.ietf.org/html/rfc6698 http://tools.ietf.org/html/rfc6394
Firefox: Plugin needed: https://os3sec.org/ Chrome: Already included in stock, see http://www.imperialviolet.org/2011/06/16/dnssecchrome.html > Also, how widespread is client DNSSEC support? E.g., > I enabled DNSSEC for my domain, but not sure yet whether DNS > resolution anywhere will fail in case DNS responses are spoofed. Most resolvers support it, but many have validation turned off :-(. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85