LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

DANE

DANE

Posted Jan 6, 2013 16:38 UTC (Sun) by tialaramex (subscriber, #21167)
In reply to: Fraudulent certificates in the wild — again by paulj
Parent article: Fraudulent certificates in the wild — again

And in fact work on the standards to make this happen is already done, as RFC 6698 - DANE, DNS Authentication of Named Entities for SSL / TLS protected services like HTTPS or IMAPS

For SSH it not only exists, as the SSHFP record but the software to support it is widely deployed (modern OpenSSH), if your organisation has DNSSEC signed DNS records and a vaguely modern resolver on machines that run SSH clients then you can put the public key signatures into DNS and throw away all those known_hosts files that are such a pain to maintain and distribute on big networks.

Actually getting DANE supported is a problem. Mozilla has sat on a Firefox patch for about a year, Internet Explorer would probably only introduce support if it became a Must Have for some reason. The bigger the dinosaur the more tempting it is to preserve the status quo, no matter how miserable that is for users.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds