Security is complex. I didn't say "we don't need this, we have DANE".
I said that I wish the effort and weight put behind this solution, was put behind something like DANE, which is protocol agnostic - so it helps you protect connections to your HTTPS login form just the same as it helps me protect connections to my XMPP server or IMAP server or whatever else I have that operates over SSL/TLS.
Yes, DNSSEC has not had the best rollout - even though basic support is mandatory now for registrars, some (I'm looking at you fuckers, Hover/Tucows) use ridiculous subsidiary setups to get around providing support for it.
That to me though, is just further evidence that it (DANE) needs all the support it can get - if we didn't do things that were slightly complicated, we wouldn't encrypt anything at all, or hash passwords or even have the internet.
I said that I wish the effort and weight put behind this solution, was put behind something like DANE, which is protocol agnostic - so it helps you protect connections to your HTTPS login form just the same as it helps me protect connections to my XMPP server or IMAP server or whatever else I have that operates over SSL/TLS.
Yes, DNSSEC has not had the best rollout - even though basic support is mandatory now for registrars, some (I'm looking at you fuckers, Hover/Tucows) use ridiculous subsidiary setups to get around providing support for it.
That to me though, is just further evidence that it (DANE) needs all the support it can get - if we didn't do things that were slightly complicated, we wouldn't encrypt anything at all, or hash passwords or even have the internet.