
<!DOCTYPE html>

<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <br>

    <div class="moz-cite-prefix">On 4/23/2025 6:25 PM, Salz, Rich via

      cryptography wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:IA1PR17MB6421CE31737B0FEFB3B8747FCDBA2@IA1PR17MB6421.namprd17.prod.outlook.com">

      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

      <meta name="Generator"

        content="Microsoft Word 15 (filtered medium)">

      <style>@font-face

        {font-family:Wingdings;

        panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face

        {font-family:Aptos;

        panose-1:2 11 0 4 2 2 2 2 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        font-size:10.0pt;

        font-family:"Aptos",sans-serif;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph

        {mso-style-priority:34;

        margin-top:0in;

        margin-right:0in;

        margin-bottom:0in;

        margin-left:.5in;

        font-size:10.0pt;

        font-family:"Aptos",sans-serif;}span.EmailStyle19

        {mso-style-type:personal-reply;

        font-family:"Calibri",sans-serif;

        color:windowtext;}.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;

        mso-ligatures:none;}div.WordSection1

        {page:WordSection1;}ol

        {margin-bottom:0in;}ul

        {margin-bottom:0in;}</style>

      <div class="WordSection1">

        <div id="mail-editor-reference-message-container">

          <div>

            <div>

              <div>

                <ul style="margin-top:0in" type="disc">

                  <li class="MsoListParagraph"

                    style="margin-left:.25in;mso-list:l0 level1 lfo1"><span

                      style="font-size:11.0pt">All the CAbal exists only

                      because of browsers refusing to do DNSSEC,<br>

                      even now they have a clean and secure path via DoH

                      anyways....<br>

                      <br>

                      <o:p></o:p></span></li>

                </ul>

                <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:"Calibri",sans-serif">If

                    some random client Joe wants to securely browse some

                    random site foo.blog, how many parties need to be

                    involved?  With TLS, I need the browser and its

                    trust store, Joe, and the owner of foo.blog talking

                    to a CA. Let’s pick a more complicated example,

                    <a class="moz-txt-link-abbreviated" href="http://www.kingston.ci.ma.us">www.kingston.ci.ma.us</a>. The number of entities is

                    still the same.  What’s it like for DNSSEC? 

                    Honestly curious.</span></p>

              </div>

            </div>

          </div>

        </div>

      </div>

    </blockquote>

    <p>With DNSSEC+DANE (if browsers add DANE support), the website

      owner can just use a self-signed TLS cert and create a TLSA record

      (DANE-EE mode) for the domain name which contains the hash of the

      self-signed cert. That's it.<br>

    </p>

    <p>Web browser just has to fetch the TLSA record (with DNSSEC

      validation), and then match the hash with the cert that the server

      sends during the TLS handshake. <br>

    </p>

    <div class="moz-signature">

      <p>

        Regards,<br>

        <b>Shreyas Zare</b><br>

        <a href="https://technitium.com/">Technitium</a>

      </p>

    </div>

    <p></p>

  </body>

</html>