Comment by cyberax

2 months ago

I sign my zones :)

The reliable way is DoH/DoT that are rapidly going to become the standard. They don't suffer from fragmentation issues, so they can reliably get the DNSSEC chain.

Or maybe the next step is putting the stapled response into the certificate. Perhaps it can even be used by Let's Encrypt as a part of the challenge, providing the incentive to get it right.

The original stapled DNSSEC experiment was suffering from misaligned incentives. CAs didn't care at all about it.

6 comments

cyberax

Reply
tptacek  2 months ago

Huh? What did CAs have to do with stapling?

  • cyberax  2 months ago

    Stapling needs to be an intermediary step, in parallel with existing trusted CAs. When stapling was tried first in Chrome, no CAs were interested in setting up something like Let's Encrypt, using DNSSEC to automatically issue certificates.

    • tptacek  2 months ago

      No it doesn't? Why would it? I'm confused by what it is you think CAs have to do with DNSSEC stapling. CAs are absolutely not the reason DANE staples failed.

      3 replies →