Comment by 🐧 chluehr

Re: "DANE and DNSSEC adoption is still low, but I agree it would…"

In: u/chluehr

@skyjake good point(s), you are right - thanks for the feedback!

🐧 chluehr [OP]

2025-03-11 · 1 year ago

4 Later Comments ↓

👾 fab · 2025-03-12 at 01:14:

@skyjake I don't think it's difficult to create a valid DANE TLSA record. You just need to have a DNS registrar that supports DNSSEC. At OVH DNSSEC is handled automatically.

And to create a DANE-TLSA record you just need the "ldns-dane" tool (package "ldns" on Arch) to create one.

$ ldns-dane create redterminal.org 1965

Output: _1965._tcp.redterminal.org. 3600 IN TLSA 3 1 1 ba8aa64c381226622d1cdebb28b628f45c9b4d111a5930a015ff140f6f4fb754

Now you just need to create that TLSA record on your domain at your registrar. The only thing that's a problem, is to get support from Gemini clients.

If you successfully placed the DNS record you can verify your DANE-TLSA entry with: "$ ldns-dane verify redterminal.org 1965"

And I think it does have value to further secure a capsule, even a small one. A capsule has a certificate anyway, so it shouldn't be too difficult to add a TLSA-DANE record. Of course: It is optional, but a good addition.

👾 fab · 2025-03-12 at 04:12:

@skyjake BTW: I saw you're using eNom as a registrar. They seem to support DNSSEC but it has to be done manually, which can be hard and tricky. I don't know which registrars do this automatically, but ovh.com does: You just add a normal DNS record (A for example, but TLSA aswell) and it's automatically signed with a RRSIG record. I can only recommend them.

🎲 tomasino · 2025-03-21 at 02:00:

I keep meaning to gemlog about this, but I made a proof of concept client implementation for DANE in rust. https://github.com/jamestomasino/gemini-rust-tlsa

🚬 sy · 2025-03-21 at 08:10:

@tomasino Querying TLSA records just during the TLS handshake makes the process more performant. That way TLS connection itself can be sped up significantly.

Also, do you have any comments on this?

— Trust algorithm suggestion for augmenting TOFU with DANE

Original Post

🐧 chluehr

DANE and DNSSEC adoption is still low, but I agree it would "solve" the TOFU Gemini Issue / CC @skyjake [gemini link] DANE and TLS

💬 6 comments · 2 likes · 2025-03-11 · 1 year ago