On Wed, Oct 30, 2024 at 03:49:42PM -0700, Doug Barton via dns-operations wrote:
> From: Doug Barton <dougb@dougbarton.email> > Date: Wed, 30 Oct 2024 15:49:42 -0700 > Subject: R53 Introduces service Binding (SVCB), HTTPS, TLSA, and Secure > Shell fingerprint (SSHFP) records > To: dns-operati...@dns-oarc.net > > Seems like an interesting development. > > Thoughts? > > https://aws.amazon.com/blogs/networking-and-content-delivery/improving-security-and-performance-with-additional-dns-resource-record-types-in-amazon-route-53/ Good to see it happen, better late than never. The high level overview is roughly right, be it that some of the technical details are a bit off: - The example TLSA record associated data is not valid hexadecimal. - DANE-enabled SMTP clients don't launch right into a TLS client Hello, after reading the server 220 banner. EHLO and STARTTLS are still required first. If this were a tutorial on deploying server-side DANE TLSA records, I'd have asked for more coverage of the operational requirements of keeping it working (not just fire and forget initial configuration), but this is a service rollout announcement, not a user guide, so the scope is about right... -- Viktor. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
