Re: [dane] Deployment considerations - Re: draft-ietf-dane-smime

Viktor Dukhovni <> Mon, 20 October 2014 18:29 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B84921A8AA7 for <>; Mon, 20 Oct 2014 11:29:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cCx9tn4hWiOK for <>; Mon, 20 Oct 2014 11:29:06 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A2C761A9008 for <>; Mon, 20 Oct 2014 11:29:06 -0700 (PDT)
Received: by (Postfix, from userid 1034) id 9380A2AAC8A; Mon, 20 Oct 2014 18:29:05 +0000 (UTC)
Date: Mon, 20 Oct 2014 18:29:05 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [dane] Deployment considerations - Re: draft-ietf-dane-smime
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Oct 2014 18:29:08 -0000

On Mon, Oct 20, 2014 at 04:52:21PM +0000, Dan York wrote:

> Personally, I think it would be great if every "DANE-like" usage
> would just use the TLSA record... then we have to only fight that
> battle once to get it added into configuration/management GUIs.
> But if we are to create other TLSA-like records to have different
> names, let's at least please keep them the same so that we can get
> them all more easily deployed.

I empathise with the sentiment, but there's a bit more to a friendly
DANE record UI than the RDATA format.

For TLSA, the UI would have an entry box for the port number, and
radio buttons for the protocol (tcp/udp/...).

For SMIMEA there would be a text field for the address localpart,
which used to enter the address.  If (as is almost always the case)
the DNS zone is mastered from some sort of underlying database,
one might even want to store the address (for friendlier search,
...) while using its sha224 hash in the SMIME label.

So there may be *some* code re-use, but doing it right will likely
require custom code for any additional record types with a TLSA-like