Randy Bush <ra...@psg.com> writes: >> Which is the reason why no major browser does TLSA validation. > > well. there is the extra protocol turn. agl tried and backed off, > seemingly because of that.
I hear that. And I see them pushing DNS over HTTPS at the same time. Doesn't really compute... They are so good at making up excuses. A couple of yours ago they didn't need TLSA validation beacuse HPKP was so much better: https://www.imperialviolet.org/2015/01/17/notdane.html Where did that go? Oh, yes, turns out it wasn't such a good idea anyway: https://ordina-jworks.github.io/security/2018/02/12/HPKP-deprecated-what-now.html So now we're back to ultimate trust in the CAs again, using CT and CAA. Nice move. > but, if we want to encourage tlsa, recommended values for the three > lovely but obscure (after all, it is the dns) parameters. victor > whacked me into using 211 with let's encrypt certs. I prefer 3 1 1 for my certs, pinning my own key regardless of who else signed it. Bjørn