[dns-operations] R53 Introduces service Binding (SVCB), HTTPS, TLSA, and Secure Shell fingerprint (SSHFP) records
Doug Barton
dougb at dougbarton.us
Thu Oct 31 01:27:25 UTC 2024
On 2024-10-30 4:08 PM, Emmanuel Fusté wrote:
>> Seems like an interesting development.
>>
>> Thoughts?
>>
>> https://aws.amazon.com/blogs/networking-and-content-delivery/improving-security-and-performance-with-additional-dns-resource-record-types-in-amazon-route-53/
>
> They are just catching up.
> For TLSA, it was about time.
>
> Emmanuel.
Yeah, I had to restrain a snarky response on our internal AWS help
channel about DANE support, finally. :)
What I'm most curious about is whether HTTPS is going to get broader
support from the browsers now that AWS is on board?
I lived through several rounds of the ALIAS vs. SRV wars, and remain
disappointed in all sides of that argument. The need is obviously there,
and the AliasMode for HTTPS seems like it will meet that need, if it's
universally supported.
It's still not enabled by default in the latest Firefox without DOH, for
example. It seems that Chrome and Safari support it on desktop, and that
mobile support is also strong. Am I missing anything?
My issue is that I can't "sell" this to my organization as an 80%
solution. The response I'm likely to get is, "If we need to provision an
alternate solution anyway, why bother with the HTTPS records in the
first place?"
Doug
More information about the dns-operations
mailing list