Re: ca-certificates: no more cacert.org certificates?!?

To: debian-devel@lists.debian.org
Subject: Re: ca-certificates: no more cacert.org certificates?!?
From: Peter Palfrader <weasel@debian.org>
Date: Tue, 25 Mar 2014 07:56:27 +0100
Message-id: <[🔎] 20140325065627.GT1469@anguilla.noreply.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20140324232856.GA12737@grep.be>
References: <[🔎] 1547064.xn0OUe3ytz@debstor> <[🔎] 3856734.0yBdCnFHx2@debstor> <[🔎] 87k3blxscz.fsf@xoog.err.no> <[🔎] 1722468.nyLnYD01gx@debstor> <[🔎] 20140324013843.GB12189@bongo.bofh.it> <[🔎] lgpbl0$ncd$1@ger.gmane.org> <[🔎] 53303829.4020805@antipoul.fr> <[🔎] 20140324135855.GN1469@anguilla.noreply.org> <[🔎] 20140324232856.GA12737@grep.be>

On Tue, 25 Mar 2014, Wouter Verhelst wrote:

> > > Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed
> > > standard in August 2012[1]. And DNS servers haven't support for them
> > > since recently (I'd say 6 months to 1 year).
> > 
> > DNS servers have supported them for years;  RFC3597 is over a decade old
> > by now.
> 
> RFC3597 does not specify TLSA records, it only specifies how DNS servers should
> handle RRs with unknown (to them) RDATA format. It is essential to allow new
> features to be propagated over the DNS network, but it does not necessarily
> implement TLSA at the signing zone -- and that, apart from widespread
> user agent support, is a pretty critical prerequisite for actually
> starting to use DANE.

The claim was that DNS servers didn't support it.  All you need is
RFC3597 support to add TLSA records to your zone.

e.g.:
} _443._tcp.www.debian.org. IN TYPE52 \# 35 03010124b4287bf05f884f844373ac21f5afd3f74a31881c907c1e2712248e7ade9ab1

-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Reply to:

References:
- ca-certificates: no more cacert.org certificates?!?
  - From: Dmitry Smirnov <onlyjob@debian.org>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Dmitry Smirnov <onlyjob@debian.org>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Dmitry Smirnov <onlyjob@debian.org>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: md@Linux.IT (Marco d'Itri)
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Raphael Geissert <geissert@debian.org>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Adrien CLERC <adrien@antipoul.fr>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Peter Palfrader <weasel@debian.org>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Wouter Verhelst <wouter@debian.org>

Prev by Date: Bug#742573: ITP: seaborn -- Python statistical visualization library
Next by Date: Re: Bug#741930: reportbug: add current init system information
Previous by thread: Re: ca-certificates: no more cacert.org certificates?!?
Next by thread: Re: ca-certificates: no more cacert.org certificates?!?
Index(es):
- Date
- Thread