Re: debcheckroot v2.0 released
Hello.
On 2 Apr 2020, at 0:57, Paul Wise wrote:
> Support for DANE is never going to happen for the web (given the
> opinions of the major browser makers) and it could disappear in other
> upstream projects as the popularity of DoH/DoT and other things in the
> DNS space eclipse DANE/DNSSEC.
I'm surprised by the second part of this statement, "and it
could disappear [...] as [...] other things [...] eclipse
DANE/DNSSEC."
DoH and DoT provide an encrypted query/response channel from the
client to the resolver. DNSSEC provides an assurance that the
resolver is not spoofing response data. DANE builds on DNSSEC
to protect against a compromised (or even rogue) CA certifying
an impostor instead of the legitimate operator of a service.
These are complementary protections against corresponding
distinct threats, not competing solutions to the same problem.
Best regards,
Niall O'Reilly
Reply to: