

One year of DANE – tales and lessons learned [pdf] - liotier
https://ripe70.ripe.net/presentations/183-dane-ripe.pdf

======
falcolas
Doesn't this simply move the issue of trust up to the DNSSEC certificate
holders? What is to stop them from creating the same abuses of identity which
affect TLS as presented early in the slides?

~~~
detaro
But it takes someone "up the tree" from your domain to be compromised/evil, vs
with CAs any generally trusted CA can create a cert for your domain. While it
doesn't help against everything, it still improves things.

(OT: does anyone know a good German/European domain registrar/DNS provider
that offers DNSSEC without jumping through too many hoops?)

~~~
feld
Gandi does (France)

Maybe Joker if you want German

------
mike-cardwell
If anyone wants to test DANE with SMTP, I have it set up on grepular.com. Feel
free to email me. Details in my profile.

