Re: Gen-ART and OPS-Dir review of draft-wkumari-dhc-capport-13

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/13/2015 10:58 AM, Sam Hartman wrote:
Since no browsers support DANE, I don't think it's fair to give an
operational recommendation in favor of DNSsec.  I don't think it buys
you anything with today's software.
What I had in mind with this is not so much DANE but rather just being able to make the claim that the answer (e.g., AAAA record) being returned to the host is actually a name owned by the company claiming to operate the captive portal. I will admit that I haven't really thought this through, and you are right that one of the more obvious use cases for this would be validating the cert using TLSA. Of course if the portal doesn't support the TLSA queries, that means that the host can't require that they work, which seems like a bad outcome, so recommending support for DNSSEC is a win even if the hosts don't initially use it.




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]