DNS-based Authentication of Named Entities.
This may require having our own DNSSEC resolver.
kmcallister
All 4 comments
Considering that more established browsers are rejecting this feature due to the latency of querying DNS and due to DNSSEC using the sort of legacy crypto that's being unsupported for normal CAs, it's probably not a good idea to spend time on this in Servo.
hsivonen
on 28 May 2015
Assigning to @avadacatavra to decide whether we should pursue this.
nox
on 8 Apr 2017
I see that my comment from 2015 has gotten two thumbs down. It helps to consider DNSSEC as a CA system replacement with legacy crypto practices and with structurally unimpeachable root and intermediates.
Legacy crypto practices: Remember that DNSSEC had a 1024-bit RSA root at a time when Mozilla had decided to distrust 1024-bit RSA Web PKI roots.
From time to time, there's "whoa! how can it be this bad?" news about a particular CA or its delegates. Taking action against BR violations in Web PKI is hard but possible. In DNSSEC, if your TLD misbehaves in terms of what it signs, there's no remedy without everyone under that TLD changing to a different TLD, which is prohibitively disruptive. Authorities in DNSSEC are even less impeachable in case of bad behavior than in Web PKI.
Furthermore, I haven't seen any update refuting Chrome's finding that a substantial portion of browser users are behind middleboxes that drop DNSSEC-sized DNS responses.
hsivonen
on 9 Apr 2017
There's no cross-browser consensus on the tradeoffs with DANE, and I don't think this is a current priority for Servo.
We can reopen/revisit this in the future if things change in the browser ecosystem.
avadacatavra
on 19 Apr 2017
Related issues
noisiak
路
3Comments
shinglyu
路
4Comments
CYBAI
路
4Comments
SimonSapin
路
3Comments
AgustinCB
路
4Comments