Re: "DANE and DNSSEC adoption is still low, but I agree it would…"

In: u/chluehr

@skyjake BTW: I saw you're using eNom as a registrar. They seem to support DNSSEC but it has to be done manually, which can be hard and tricky. I don't know which registrars do this automatically, but ovh.com does: You just add a normal DNS record (A for example, but TLSA aswell) and it's automatically signed with a RRSIG record. I can only recommend them.

👾 fab

2025-03-12 · 1 year ago

2 Later Comments ↓

🎲 tomasino · 2025-03-21 at 02:00:

I keep meaning to gemlog about this, but I made a proof of concept client implementation for DANE in rust. https://github.com/jamestomasino/gemini-rust-tlsa

🚬 sy · 2025-03-21 at 08:10:

@tomasino Querying TLSA records just during the TLS handshake makes the process more performant. That way TLS connection itself can be sped up significantly.

Also, do you have any comments on this?

— Trust algorithm suggestion for augmenting TOFU with DANE

🐧 chluehr

DANE and DNSSEC adoption is still low, but I agree it would "solve" the TOFU Gemini Issue / CC @skyjake [gemini link] DANE and TLS

💬 6 comments · 2 likes · 2025-03-11 · 1 year ago