Re: [dane] namespace management, DANE Client Authentication draft updated

"John Levine" <> Thu, 14 January 2016 02:49 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0A4C71B2AE5 for <>; Wed, 13 Jan 2016 18:49:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.863
X-Spam-Status: No, score=0.863 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, KHOP_DYNAMIC=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YzdvDbOa2L5F for <>; Wed, 13 Jan 2016 18:49:33 -0800 (PST)
Received: from ( [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 30C4C1B2ADE for <>; Wed, 13 Jan 2016 18:49:33 -0800 (PST)
Received: (qmail 85429 invoked from network); 14 Jan 2016 02:49:32 -0000
Received: from unknown ( by with QMQP; 14 Jan 2016 02:49:32 -0000
Date: 14 Jan 2016 02:49:10 -0000
Message-ID: <20160114024910.67019.qmail@ary.lan>
From: "John Levine" <>
In-Reply-To: <>
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <>
Subject: Re: [dane] namespace management, DANE Client Authentication draft updated
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Jan 2016 02:49:34 -0000

>This forces clients that use both TCP and UDP to publish their TLSA
>records twice (or better publish one as a CNAME for the other, or
>make both CNAMEs to a third thing).  Is this really worth it?

How much of a problem has it been for TLSA server records?  I honestly don't
know but I'd be surprised if the answer were other than "not much".  

Creating the certificate and turning that into the right hex for the
TLSA master record seems vastly harder than adding a CNAME which, if
you are right that nobody ever does anything different on TCP and UDP,
could be added mechanically.