Comment by tptacek
3 days ago
This decreases the salience of DANE/DNSSEC by taking DNS queries off the per-issuance critical path. Attackers targeting multitenant platforms get only a small number of bites at the apple in this model.
3 days ago
This decreases the salience of DANE/DNSSEC by taking DNS queries off the per-issuance critical path. Attackers targeting multitenant platforms get only a small number of bites at the apple in this model.
DNS queries are still part of the critical path, as let's encrypt needs to check that the username is still allowed to receive a cert before each issuance.
Sure. It's yet another advantage of doing True DANE. But it still requires DNS to be reliable for the certificate issuance to work, there's no way around it.
So why not cut out the middleman?
(And the answer right now is "legacy compatibility")
I mean, the reason not to do DANE is that nobody will DNSSEC-sign, because DNSSEC signing is dangerous.
Come on. It's not dangerous, it's just inconvenient and clumsy. So nobody is really using it.
14 replies →