On Thu, Aug 15, 2024 at 10:46:37AM -0400, Phillip Hallam-Baker wrote:
> The registrars sold DNS names as loss leaders and made their money on
> SSL certs. So instead of driving DNSSEC deployment, DANE actually
> sabotaged it.
It is puzzling how DANE could sabotage DNSSEC deployment given there's
no deployment outside SMTP, and even in SMTP, DANE covers ~4.2 million
signed domains out of ~23 million total signed, which is out ~360
million delegated domains under signed public suffixes.
So DANE is deployed for SMTP on ~1.2% of delegated domains.
It seems in your view the DANE working group missed an opportunity to
drive DNSSEC deployment, ostensibly by specifying not only "0 0 1"
records (digest of authorised PKIX TA), but also DANE-TA and DANE-EE
TLSA records, which support private CAs or EE-only modes.
None of this has anything to do with connection latency. The latency
cost of looking up CAA records is not clearly lower than the cost of
looking up TLSA records.
--
Viktor.
