DNS-based Authentication of Named Entities (DANE) is a working group developing protocols that allow certificates to be bound to DNS names using Domain Name System Security Extensions(DNSSEC).

On Wednesday, August 1, 2012, Don Stokes wrote:

Just another DJB rant. If I was cynical I might almost think he was making excuses for not cutting DNSSEC code for djbdns.

Seriously, he utterly misses the point. Signing A records and so-forth provides very little in the way of end to end protection, true, but what it does provide is a trusted, consistent mechanism to place security information (public keys, certificates et c) which end-to-end services can use to secure those services, without having to involve third parties in every single deployment.

Basically, think of it not in terms of security for the DNS but as security information provided through the DNS.

-- don

On 01/08/12 08:31, Mark Goldfinch wrote:
Greetings all,

I recently came across a presentation by DJB taking an in-depth look at how DNSSEC operates:

I haven't seen much in the way of discussion on his assertions, so NZNOG, your opinion please!

Mark Goldfinch | Systems Team Leader


NZNOG mailing list