On Mon, 24 Mar 2014, Adrien CLERC wrote:
> Le 24/03/2014 14:23, Raphael Geissert a écrit :
> >> Anyway, I strongly recommend that nobody waste their time on an issue
> >> which in a couple of years will be much less relevant thanks to DANE.
> > If only people actually used DNSSEC and DANE - Chromium/Google Chrome
> > dropped
> > support for the latter due to the lack of use[1].
> >
> > [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html
> >
> Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed
> standard in August 2012[1]. And DNS servers haven't support for them
> since recently (I'd say 6 months to 1 year).
DNS servers have supported them for years; RFC3597 is over a decade old
by now.
> The issue with that kind of protocol is that you must trust
> your resolver, or have a resolver on your machine, bypassing any
> existing resolver cache of your network provider.
A local validating resolver is not incompatible with using your
provider's recursor (if you actually believe that buys you anything).
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140324135855.gn1...@anguilla.noreply.org
