Paul Wise <p...@debian.org> writes: > On Wed, Apr 1, 2020 at 6:01 PM vi...@vheuser.com wrote: > >> Did the discussion of continuing support for DANE end?? > > In case I mislead anyone, a clarification: > > Debian itself isn't going to actively work on removing support for > DANE from anything nor removing our DANE/DNSSEC records. > > Support for DANE is never going to happen for the web (given the > opinions of the major browser makers)
Well, there is one major vendor desperately looking for an "edge" (pun intended) over the others: https://techcommunity.microsoft.com/t5/exchange-team-blog/support-of-dane-and-dnssec-in-office-365-exchange-online/ba-p/1275494 They haven't announced browser support. Yet. But I don't think you should rule out DANE just yet. > and it could disappear in other > upstream projects as the popularity of DoH/DoT and other things in the > DNS space eclipse DANE/DNSSEC. Should that happen to the software > Debian uses for DNS/DANE, we may be forced to drop our DANE/DNSSEC > records. I really don't see how you come to that conclusion. The TLSA records won't break anything unless the vendors implmenet broken DANE support. So why would you *have* to remove the records? And DNSSEC is a different game. It's implemented by every caching resolver implmentatio worth mentioning. It's a critical part of the DNS. It is not going away. It is more likely to become mandatory. The DoT/DoH games might end up with even more centralized resolver services than today, but that will just increase the importance of DNSSEC to end users. You obviously cannot trust unsigned DNS data from a distant resolver. This has nothing to do with transport security. The problem with DoH is that you cannot trust a source with unknown management and jurisdiction. Bjørn
