On 12/01/2010 04:12 AM, Paul Wouters wrote: > On Wed, 1 Dec 2010, Leen Besselink wrote: > >> Chromium does have the --enable-dnssec-certs option so that is a start, >> but it's experimental. > > What does that option do? As there is no real standard yet...
It does a number of checks from this page: http://www.imperialviolet.org/2010/08/16/dnssectls.html >From looking at the wire, I see a request for the TXT RR with DO-bit set and EDNS0 (payload size: 4096). I haven't checked the actual code. It's more a proof of concept I think. > >> I think OpenSSH is the only application at this point which supports the >> dnssec and in this case with SSHFP-RR. > > openswan supports raw RSA keys for IPsec in DNS. > Forgot about that one. Opportunistic encryption, I don't think anyone else implemented that and openswan is not in the mainline kernel. So it isn't widely deployed, which is to bad. It's an interresting idea. >> DNSSEC can be used for so much more. > > It's coming, but it will take a few more months. > > Paul _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
