[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Christian de Larrinaga
cdel at firsthand.net
Fri Apr 25 07:59:53 EDT 2025
Shreyas Zare <shreyas at technitium.com> writes:
> On 4/25/2025 3:36 PM, Christian de Larrinaga wrote:
>> Shreyas Zare via cryptography<cryptography at metzdowd.com> writes:
>>>> *That* is what certificates protect against. DNSSEC will not help
>>>> you at all because as long as you are connected to my hot spot, I
>>>> control the entire Internet from your point of view, not just DNS.
>>> DNSSEC will help protect with DANE. Controlling a hot spot does not
>>> make it vulnerable.
>>>
>>> Its about time web browsers add support for DANE as an alternative
>>> option for people who want to use it.
>>>
>>> Regards,
>>> *Shreyas Zare*
>> DNSSEC signing a zone to the root is needed first?
>
> Yes, that's the prerequisite to have the zone signed. Which is much
> easier to do with some DNS providers which give you an ON/OFF switch
> to sign your zone.
>
>
> Regard
> *Shreyas Zare*
> Technitium <https://technitium.com/>
if DANE is totally dependent on DNSSEC being correctly implemented that
is a significant barrier.
In regards validating self signed certs in DANE how does the service and
also a user of a service that has implemented DNSSEC and DANE for a zone
distinguish if both the DNS delegation is signed and operating correctly
and the service self signed cert is authentic and can be "trusted"?
--
Christian de Larrinaga
More information about the cryptography
mailing list