[Top] [All Lists]

Re: [ietf-smtp] DANE without DNSSEC (was: certificate pinning)

2014-06-16 14:02:26
In article 
 you write:
Right, I wasn't sure exactly why DANE requires DNSSEC.

It was essentially a political decision, but one that is now cast in
concrete.  The rationale. as I understand it, is that to be a
reasonable replacement for CAs it needs a comparably strong chain of
authority.  DANE without DNSSEC would be a particularly egregious
example of the Internet's traditional security model of putting a ten
ton steel lock on a screen door.

DANE requiring DNSSEC seems to be the perfect being the enemy of the good.

That, too.  Technically, there's nothing keeping you from publishing DANE
records in unsigned zones, although I don't know what libraries are likely
to do with them.


ietf-smtp mailing list