On 07/13/2015 10:58 AM, Sam Hartman wrote:
Since no browsers support DANE, I don't think it's fair to give an
operational recommendation in favor of DNSsec. I don't think it buys
you anything with today's software.
What I had in mind with this is not so much DANE but rather just being
able to make the claim that the answer (e.g., AAAA record) being
returned to the host is actually a name owned by the company claiming to
operate the captive portal. I will admit that I haven't really thought
this through, and you are right that one of the more obvious use cases
for this would be validating the cert using TLSA. Of course if the
portal doesn't support the TLSA queries, that means that the host can't
require that they work, which seems like a bad outcome, so recommending
support for DNSSEC is a win even if the hosts don't initially use it.