On Sun, 2024-01-21 at 01:30 -0500, Theodore Ts'o wrote:
> Unlike James, I've tried to use DANE, since about the only thing that
^
never?
> has as disastrous a user experience as gpg is DNSSEC. :-) I just
> manually upload keys to the kernel and Debian keyrings, and it's been
> working out, apparently without much pain for either me or to those
> who rely on my keys --- at least, no one as complained to me so
> far....
Well the theory is sound: if the DNS is secure and trustworthy, getting
the gpg key from the same domain as the email records proves the tie
between the uid and the key (obviating the need for all this keysigning
and web of trust). Making DNS substitute for all these stupid external
CAs for web certificates as well (via DANE export of the X509 public
key) is also a good idea, as is exporting the ssh host keys and things.
However, having maintained DNSSEC for almost a decade now, I'm not
going to pretend it's something a non-expert sysadmin should be trying:
it's very particular and problems are hard to debug; you really have to
be in the top tier of expert sysadmins to be successful with it.
However, once it is running, bind9 now takes much of the pain out of
rolling the domain keys and, if you run a dynamic domain (one that can
be updated with nsupdate), you can actually give all your users scoped
permission to update their own key records, so if you have an expert
sysadmin on the domain, they can make DANE usable for all the non
experts.
I think the gpg usability problem is that I can't mark my key as being
DANE available in the key itself, so gpg would just automatically check
the DNS for an update and throw a warning if there was a DNS problem
(but still use the cached key). The failure is the users having to
figure out that my key is DANE available and then what combinatoric
explosion of gpg options they actually need to update it.
James
