[Standards] Unsigned DANE records for TLS assertions

Tony Finch dot at dotat.at
Thu Dec 5 12:58:18 UTC 2013

Peter Saint-Andre <stpeter at stpeter.im> wrote:

> > I would note that an unsigned TLSA concept would implicitly mandate
> > TLS - as such, the right comparison is with XEP-0220 over TLS,
> > rather than "vanilla" XEP-0220.
> I'd be curious to hear what Tony or other DNS experts have to say.

I don't think this is a DNS question per se - it's about systems security:
trade-offs between the exploitability of various vulnerabilities, the
complexity of various (partial) defences, and the deployability of

I think there might be an advantage to bypassing the ordering constraint
that you have to have DNSSEC before you can have DANE before you can have
strong certificate checking. But you have to be careful that you have a
clear forward path that leads to a good endpoint and is (preferably)
downhill all the way.

A related example; OpenSSH uses unsigned SSHFP as a hint to the user, but
does not trust them. So there is a precedent, but it is hard to get a
human in the loop on s server-to-server connection :-)

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

More information about the Standards mailing list