Hello. On 2 Apr 2020, at 0:57, Paul Wise wrote:
> Support for DANE is never going to happen for the web (given the > opinions of the major browser makers) and it could disappear in other > upstream projects as the popularity of DoH/DoT and other things in the > DNS space eclipse DANE/DNSSEC. I'm surprised by the second part of this statement, "and it could disappear [...] as [...] other things [...] eclipse DANE/DNSSEC." DoH and DoT provide an encrypted query/response channel from the client to the resolver. DNSSEC provides an assurance that the resolver is not spoofing response data. DANE builds on DNSSEC to protect against a compromised (or even rogue) CA certifying an impostor instead of the legitimate operator of a service. These are complementary protections against corresponding distinct threats, not competing solutions to the same problem. Best regards, Niall O'Reilly
