On Tue, Aug 13, 2024 at 02:11:44PM +0100, Ted Hardie wrote:
> If you switch to DANE,
> instead of having the CA/browser forum members receive these requests, the
> DNS registrars or registries will.
But if the DNS registry is the sanctioned ccTLD, it can continue to mint
signed delegations, without any other party needing to consent. And then
each delegated domain can mint its own TLSA records. This does remove a
non-trivial chunk of the potential barriers.
What it does not solve is e.g. a sanctioned entity trying renew
registration of a .com domain, or trying to remain a customer of
an offshore DNS hosting provider that must abide by the sanctions.
But a self-hosted in-ccTLD domain, or one with a local DNS operator,
does *not* need to involve any out-of-country enties to implement
DANE TLSA records.
--
Viktor.
