[dns-operations] R53 Introduces service Binding (SVCB), HTTPS, TLSA, and Secure Shell fingerprint (SSHFP) records
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Oct 31 01:31:48 UTC 2024
On Wed, Oct 30, 2024 at 03:49:42PM -0700, Doug Barton via dns-operations wrote:
> From: Doug Barton <dougb at dougbarton.email>
> Date: Wed, 30 Oct 2024 15:49:42 -0700
> Subject: R53 Introduces service Binding (SVCB), HTTPS, TLSA, and Secure
> Shell fingerprint (SSHFP) records
> To: dns-operations at dns-oarc.net
>
> Seems like an interesting development.
>
> Thoughts?
>
> https://aws.amazon.com/blogs/networking-and-content-delivery/improving-security-and-performance-with-additional-dns-resource-record-types-in-amazon-route-53/
Good to see it happen, better late than never. The high level overview
is roughly right, be it that some of the technical details are a bit
off:
- The example TLSA record associated data is not valid hexadecimal.
- DANE-enabled SMTP clients don't launch right into a TLS client
Hello, after reading the server 220 banner. EHLO and STARTTLS
are still required first.
If this were a tutorial on deploying server-side DANE TLSA records, I'd
have asked for more coverage of the operational requirements of keeping
it working (not just fire and forget initial configuration), but this is
a service rollout announcement, not a user guide, so the scope is about
right...
--
Viktor.
More information about the dns-operations
mailing list