Deployment news (comcast.net publishes TLSA RRs)
Patrick Domack
patrickdk at patrickdk.com
Sat Nov 21 04:38:14 CET 2015
Quoting Viktor Dukhovni <ietf-dane at dukhovni.org>:
> On Fri, Nov 20, 2015 at 09:48:43PM -0500, Patrick Domack wrote:
>
>> Yes, I have noticed it is a big movement in germany. Have had a lot of
>> people asking for help on setting up dane the last few months from there.
>> But can't get any movement that is noticable here in the usa.
>
> Perhaps we need a new protocol by which a TLS server can securely
> pre-publish the next certificate without activating it (say include
> it in a new TLS extension), thus allowing the DNS server operator
> to automate TLSA record updates by querying the SMTP server
> (authenticated via the current records).
That sounds pretty difficult to adjust for, and would need a lot of changes.
I like the current dnssec method, where we can publish multiple keys.
I will generally publish a new key a month ahead of time for my ksk
rollover, then rotate it, and then a month later remove the old key.
The same method could be done for tlsa, by publishing multiple
records. I have not tested if any software accepts this or not, but
just publishing the new one a week ahead of time, rotating it, and
removing the old one at the same or later time (in case of failback),
to me sounds like the perferred method.
More information about the dane-users
mailing list