

DNSSEC authenticated HTTPS in Chrome - dchest
http://www.imperialviolet.org/2011/06/16/dnssecchrome.html

======
mechazoidal
The other post linked from this entry notes that this is based on Dan
Kaminsky's DNSSEC presentation. Dan has a pretty interesting line of articles
describing doing this kind of stuff in DNSSEC starting here:
<http://dankaminsky.com/2010/12/13/dnssec-ch1/>

------
zoowar
LOL <https://dnssec.imperialviolet.org/> is self-signed

~~~
wmf
That's the point; it uses DNSSec instead of the CA system.

~~~
zoowar
host -t cert imperialviolet.org

imperialviolet.org has no CERT record

Still LOLing

~~~
capnrefsmmat
> The DNSSEC stapled data is embedded in an X.509 certificate (as opposed to
> extending TLS or using a different certificate format) because every HTTPS
> server will take an X.509 certificate as an opaque blob and it Just Works.
> All the other possiblilies introduce significant barriers to adoption.

It's not in the CERT record. The DNSSEC signature chain is carried in the SSL
cert.

