On Fri, Jan 07, 2022 at 06:17:45PM -0500, PGNet Dev wrote: > > Absent DANE, this is all security theatre. > > yup. which is why i'm doing the step1 cleanups etc to get my own > mistakes out of the way ... on the way to DNSSEC/DANE.
Be sure to do it right, or not at all. It does nobody a favour when DANE is deployed sloppily with TLSA records failing to match the certificate chain after each cert rollover. https://mail.sys4.de/pipermail/dane-users/2022-January/000619.html See the "DANE resources" links at: https://stats.dnssec-tools.org/explore/ -- Viktor.