BTW, DANE stapling is not that hard. I have been pointed at AGL's code for it. The RP side doesn't need a DNSSEC resolver to implement it because all the records are stapled, and the RP doesn't need to implement non-existence checking and so on -- just validate the signature chain to the RP's DNSSEC root and check "name constraints".
Producing the stapled data is not hard either. There's a Python script that uses dig(1) that supports this. It needs to learn to be a daemon that wakes before the shortest TTL passes to refresh the chain. Stapling should result in fewer external dependencies for the Kerberos libraries, so that's a big win. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
