Gotcha, thank you. As I'm somewhat of the opinion that DNSSEC belongs in the pooper (for the good mankind), I guess this means that I shouldn't pay much attention to it.biolizard89 wrote:It does not provide any functionality which Namecoin's d/ namespace does not provide. It just makes Namecoin's d/ namespace somewhat more interoperable with DNSSEC-supporting software.
[SPEC] Domain name specification
Re: [SPEC] Domain name specification
Re: [SPEC] Domain name specification
I know the question has already been answered, but it seems what I was getting at didn't get through.sugarpuff wrote: The RFC is quite long, and the wiki is too short; perhaps you could help clarify something: what extra functionality does DANE offer that Namecoin by itself does not already provide?
1. DANE allows client software to validate server certificates through DNS instead of using CAs.
2. NMC provides an alternative way to register + publish domain names and their content records.
Put these two things together by publishing certificate fingerprints in NMC and providing a NMC->DNS/DANE gateway for clients. Then every DANE-supporting client software can validate certificates through NMC, without modifications.
Re: [SPEC] Domain name specification
Can I suggest we consider adding a static field? This would enable an optimization to tell browsers not to send session information like cookies to that subdomain. You can find some discussion about it here:
http://dot-bit.org/forum/viewtopic.php?f=5&t=1285
http://dot-bit.org/forum/viewtopic.php?f=5&t=1285
Re: [SPEC] Domain name specification
Thanks for the quick summary pmc! It sounds like DNSNMC can play the role of that "NMC->DNS/DANE gateway"?pmc wrote:I know the question has already been answered, but it seems what I was getting at didn't get through.sugarpuff wrote: The RFC is quite long, and the wiki is too short; perhaps you could help clarify something: what extra functionality does DANE offer that Namecoin by itself does not already provide?
1. DANE allows client software to validate server certificates through DNS instead of using CAs.
2. NMC provides an alternative way to register + publish domain names and their content records.
Put these two things together by publishing certificate fingerprints in NMC and providing a NMC->DNS/DANE gateway for clients. Then every DANE-supporting client software can validate certificates through NMC, without modifications.
Re: [SPEC] Domain name specification
With just straight DNS using nmcontrol you can already do TLSA/DANE lookups:
Code: Select all
dig TLSA _443._tcp.lolicore.bit +short
3 0 1 660008F91C07DCF9058CDD5AD2BAF6CC9EAE0F912B8B54744CB7643D 7621B787