On Fri, Jan 07, 2022 at 06:17:45PM -0500, PGNet Dev wrote:
> > Absent DANE, this is all security theatre.
>
> yup. which is why i'm doing the step1 cleanups etc to get my own
> mistakes out of the way ... on the way to DNSSEC/DANE.
Be sure to do it right, or not at all. It does nobody a favour when
DANE is deployed sloppily with TLSA records failing to match the
certificate chain after each cert rollover.
https://mail.sys4.de/pipermail/dane-users/2022-January/000619.html
See the "DANE resources" links at:
https://stats.dnssec-tools.org/explore/
--
Viktor.
