In message
<CAK6vND8qtt29Ln9cPE+eiQ29+y3bNMsy9DsaBFNgS+fWfg_8Ew(_at_)mail(_dot_)gmail(_dot_)com>
, Peter Bowen writes:
On Tue, Jun 17, 2014 at 8:39 AM, Brandon Long <blong(_at_)google(_dot_)com>
wrote:
Of course, my point is that clearly DANE is better than nothing and DNSSEC
makes it better. I don't see what leaving out DNSSEC adds holes that don't
already exist worse without DANE.
I was hoping there was something I was missing in my analysis that explaine
d
it.
DANE is better than nothing in some cases but also can be worse than
nothing in other cases. It all comes down to whether the DANE record
has a certificate usage that specifies to skip checking the trust
store. Without DNSSEC, this leaves no functional trust chain.
DANE is impossible to exist without DNSSEC. The D in DANE is DNSSEC.
TLSA without DNSSEC can exist but TLSA is only part of DANE.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp