17 Apr
2017
17 Apr
'17
5:05 p.m.
Hey,
The majority of deployments do not have DNSSEC in place.
Chicken-egg reasoning is killing for advancing the Internet. However, the situation is not as grim as you say:
Servers increasingly run under DNSSEC-supportive domains.
Clients can easily incorporate DNSSEC-aware resolver libraries such as libunbound or libgetdns.
So some name check for TLS certs are strictly required for preventing MITM attack.
That has merits all on its own, agreed. Anyone working on it yet? Until then, I fear DANE is all we've got.
IMO DNSSEC/DANE is not of much use for LDAP with TLS.
We disagree on that, but there is no reason to make an either/or choice between the approaches.
-Rick