[dane] Choice of PXIX-TA or DANE-TA

Guido Witmond <guido@witmond.nl> Thu, 23 March 2017 23:20 UTC

Return-Path: <guido@witmond.nl>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 66BF31292FD for <dane@ietfa.amsl.com>; Thu, 23 Mar 2017 16:20:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id b2G4T9NUBpzu for <dane@ietfa.amsl.com>; Thu, 23 Mar 2017 16:20:17 -0700 (PDT)
Received: from mail.witmond.nl (mail.wtmnd.nl []) by ietfa.amsl.com (Postfix) with ESMTP id B1F501293E1 for <dane@ietf.org>; Thu, 23 Mar 2017 16:20:16 -0700 (PDT)
Received: from [] (unknown []) by mail.witmond.nl (Postfix) with ESMTPSA id 4FD00C0573 for <dane@ietf.org>; Thu, 23 Mar 2017 23:20:15 +0000 (UTC)
To: dane@ietf.org
From: Guido Witmond <guido@witmond.nl>
X-Enigmail-Draft-Status: N1111
Message-ID: <967f5637-8b52-c71e-6f5a-e2f6dbf19632@witmond.nl>
Date: Fri, 24 Mar 2017 00:20:08 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.6.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="x0fAKG5QSEpmEFjhC5V84c5MEqveiUgNd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/nk1jkceTxJRwXqXjl-1z35ZDxJw>
Subject: [dane] Choice of PXIX-TA or DANE-TA
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 23:20:19 -0000


I've this web site for which I've enabled a Let's Encrypt server

Now I have the choice of either PKIX-TA (TLSA 0 x y) or DANE-DA (TLSA 2
x y) records, or both.

My main question is: What's the value of choosing one above the other?

If I chose PKIX-TA, it means that a client who doesn't have the Let's
Encrypt root certificate in their CA-store won't accept my certificate/site.

On the other hand, if I chose DANE-TA, are there any clients who won't
accept my certificate/site because it might not be part of the clients
list of vakid CA's?

Browsing the web, I hardly see any pages argue for PKIX-TA (0 x y) TLSA
records. Is the consensus that DANE-TA is sufficient to make clients
accept my site when the records match the site?

In other words: which one (PKIX-TA or TLSA-TA) to chose?

Cheers, Guido Witmond