, Peter Bowen writes:
On Tue, Jun 17, 2014 at 8:39 AM, Brandon Long <blong(_at_)google(_dot_)com>
Of course, my point is that clearly DANE is better than nothing and DNSSEC
makes it better. I don't see what leaving out DNSSEC adds holes that don't
already exist worse without DANE.
I was hoping there was something I was missing in my analysis that explaine
DANE is better than nothing in some cases but also can be worse than
nothing in other cases. It all comes down to whether the DANE record
has a certificate usage that specifies to skip checking the trust
store. Without DNSSEC, this leaves no functional trust chain.
DANE is impossible to exist without DNSSEC. The D in DANE is DNSSEC.
TLSA without DNSSEC can exist but TLSA is only part of DANE.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
ietf-smtp mailing list