Re: debcheckroot v2.0 released
- To: debian-security@lists.debian.org
- Subject: Re: debcheckroot v2.0 released
- From: Bjørn Mork <bjorn@mork.no>
- Date: Tue, 14 Apr 2020 09:28:28 +0200
- Message-id: <[🔎] 87wo6imspv.fsf@miraculix.mork.no>
- References: <b2489138-53ee-e747-31cc-cdce48339dbe@zoho.com> <CAO1P-kBxPFX_s7VVH=K6fO=oh6H2FLiMdv_txdwkXCf-8ydPcg@mail.gmail.com> <e0b57757-da9a-1824-149f-9f49c9312515@gmail.com> <46c05a86-1c2d-436a-a37d-5cca18a68bcf@gmail.com> <39e4e14a-26e1-be1c-7108-3824d32e28a1@gmail.com> <e0b4b492-afa2-7ee1-cb0f-12f887f1a9e2@gmail.com> <2e13d71d-f29b-3cb2-4147-5fcf9c8c6a3e@gmail.com> <2a3b7e9a-d483-e4c8-8761-6803b6faf011@gmail.com> <CAKTje6ExBrtZoW+J-pdDW2+r3EJV0dVjVyakTSNfz2WUs+EOVw@mail.gmail.com> <CAKTje6HY-+tAeDkcSZyHdBKKWk1AiSaVr2jQuFhobuiTgtuCxA@mail.gmail.com> <4d768eaf-4b60-c060-3e68-7bfcbaa334aa@elstel.org> <a96c3b9cbc6df435b6a1c6bc1e20eb2c21f8f524.camel@debian.org> <1f279581-fd7b-b054-013c-d0a527db59e0@elstel.org> <c0c4f2eb10e435f81f3ba8f1cd5e7c1fe9391500.camel@debian.org> <e5906e91-201e-6b91-5fad-b60b4ce33180@elstel.org> <[🔎] b74b1527-d500-6939-2a36-5361deeb5973@vheuser.com> <[🔎] CAKTje6GB+i5GNqhVq3+xzx17e5Dpp=RcwwSuMeY9o954XG+ioA@mail.gmail.com>
Paul Wise <pabs@debian.org> writes:
> On Wed, Apr 1, 2020 at 6:01 PM vince@vheuser.com wrote:
>
>> Did the discussion of continuing support for DANE end??
>
> In case I mislead anyone, a clarification:
>
> Debian itself isn't going to actively work on removing support for
> DANE from anything nor removing our DANE/DNSSEC records.
>
> Support for DANE is never going to happen for the web (given the
> opinions of the major browser makers)
Well, there is one major vendor desperately looking for an "edge" (pun
intended) over the others:
https://techcommunity.microsoft.com/t5/exchange-team-blog/support-of-dane-and-dnssec-in-office-365-exchange-online/ba-p/1275494
They haven't announced browser support. Yet. But I don't think you
should rule out DANE just yet.
> and it could disappear in other
> upstream projects as the popularity of DoH/DoT and other things in the
> DNS space eclipse DANE/DNSSEC. Should that happen to the software
> Debian uses for DNS/DANE, we may be forced to drop our DANE/DNSSEC
> records.
I really don't see how you come to that conclusion. The TLSA records
won't break anything unless the vendors implmenet broken DANE support.
So why would you *have* to remove the records?
And DNSSEC is a different game. It's implemented by every caching
resolver implmentatio worth mentioning. It's a critical part of the
DNS. It is not going away. It is more likely to become mandatory.
The DoT/DoH games might end up with even more centralized resolver
services than today, but that will just increase the importance of
DNSSEC to end users. You obviously cannot trust unsigned DNS data from a
distant resolver. This has nothing to do with transport security. The
problem with DoH is that you cannot trust a source with unknown
management and jurisdiction.
Bjørn
Reply to: