On Fri, Jan 07, 2022 at 06:17:45PM -0500, PGNet Dev wrote:

> > Absent DANE, this is all security theatre.
> 
> yup.  which is why i'm doing the step1 cleanups etc to get my own
> mistakes out of the way ... on the way to DNSSEC/DANE.

Be sure to do it right, or not at all.  It does nobody a favour when
DANE is deployed sloppily with TLSA records failing to match the
certificate chain after each cert rollover.

    https://mail.sys4.de/pipermail/dane-users/2022-January/000619.html

See the "DANE resources" links at:

    https://stats.dnssec-tools.org/explore/

-- 
    Viktor.

Reply via email to