Re: ca-certificates: no more cacert.org certificates?!?
On Mon, Mar 24, 2014 at 02:58:55PM +0100, Peter Palfrader wrote:
> On Mon, 24 Mar 2014, Adrien CLERC wrote:
>
> > Le 24/03/2014 14:23, Raphael Geissert a écrit :
> > >> Anyway, I strongly recommend that nobody waste their time on an issue
> > >> which in a couple of years will be much less relevant thanks to DANE.
> > > If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped
> > > support for the latter due to the lack of use[1].
> > >
> > > [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html
> > >
> > Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed
> > standard in August 2012[1]. And DNS servers haven't support for them
> > since recently (I'd say 6 months to 1 year).
>
> DNS servers have supported them for years; RFC3597 is over a decade old
> by now.
RFC3597 does not specify TLSA records, it only specifies how DNS servers should
handle RRs with unknown (to them) RDATA format. It is essential to allow new
features to be propagated over the DNS network, but it does not necessarily
implement TLSA at the signing zone -- and that, apart from widespread
user agent support, is a pretty critical prerequisite for actually
starting to use DANE.
--
This end should point toward the ground if you want to go to space.
If it starts pointing toward space you are having a bad problem and you
will not go to space today.
-- http://xkcd.com/1133/
Reply to: