"Ted" == Ted Lemon <ted(_dot_)lemon(_at_)nominum(_dot_)com> writes:
Ted> On 07/13/2015 10:58 AM, Sam Hartman wrote:
>> Since no browsers support DANE, I don't think it's fair to give
>> an operational recommendation in favor of DNSsec. I don't think
>> it buys you anything with today's software.
Ted> What I had in mind with this is not so much DANE but rather
Ted> just being able to make the claim that the answer (e.g., AAAA
Ted> record) being returned to the host is actually a name owned by
Ted> the company claiming to operate the captive portal. I will
Ted> admit that I haven't really thought this through, and you are
Ted> right that one of the more obvious use cases for this would be
Ted> validating the cert using TLSA. Of course if the portal
Ted> doesn't support the TLSA queries, that means that the host
Ted> can't require that they work, which seems like a bad outcome,
Ted> so recommending support for DNSSEC is a win even if the hosts
Ted> don't initially use it.
I have never been convinced that DNSsec validation of A or AAAA records
has value.
I understand I am a heretic in the security community for saying that,
but there it is.