dnssec-trigger + GNOME + NetworkManager integration

Michael Catanzaro mcatanzaro at gnome.org
Fri Jul 3 14:44:55 UTC 2015


On Fri, 2015-07-03 at 15:43 +0200, Petr Spacek wrote:
> For the record, and all this can be solved by DNSSEC + DANE. See RFC 
> 6698.

I was planning to use DANE as a second required check in addition to
the normal certificate chain. That is, if either the certificate chain
doesn't check out or DANE fails, then something is spooky and the site
should be inaccessible. Other browsers are throwing around ideas about
using DANE to make the site accessible in the event the certificate
chain fails, which seems like the wrong direction to me. I haven't
really seen any good arguments in favor of one approach or the other,
though.

Michael


More information about the devel mailing list