Comment by ๐ skyjake
Re: "DANE and DNSSEC adoption is still low, but I agree it wouldโฆ"
I'm not fundamentally opposed to the idea of supporting DANE in Lagrange. However, I have three big concerns, though:
1) It is inherently complicated, with many moving parts and parties: server operators, DNS providers, cryptographic data and tooling, and client software. This results in increased friction to adoption.
2) DANE could be handled exclusively via standalone tools. Integration into a client would nice, but not mandatory.
3) Gemini does not require the higher level of trust that DANE provides. Perhaps a few central services/capsules could benefit, but for most it would be little more than a hassle.
2025-03-11 ยท 1 year ago
5 Later Comments โ
๐ง chluehr [OP] ยท 2025-03-11 at 11:23:
@skyjake good point(s), you are right - thanks for the feedback!
๐พ fab ยท 2025-03-12 at 01:14:
@skyjake I don't think it's difficult to create a valid DANE TLSA record. You just need to have a DNS registrar that supports DNSSEC. At OVH DNSSEC is handled automatically.
And to create a DANE-TLSA record you just need the "ldns-dane" tool (package "ldns" on Arch) to create one.
$ ldns-dane create redterminal.org 1965
Output: _1965._tcp.redterminal.org. 3600 IN TLSA 3 1 1 ba8aa64c381226622d1cdebb28b628f45c9b4d111a5930a015ff140f6f4fb754
Now you just need to create that TLSA record on your domain at your registrar. The only thing that's a problem, is to get support from Gemini clients.
If you successfully placed the DNS record you can verify your DANE-TLSA entry with: "$ ldns-dane verify redterminal.org 1965"
And I think it does have value to further secure a capsule, even a small one. A capsule has a certificate anyway, so it shouldn't be too difficult to add a TLSA-DANE record. Of course: It is optional, but a good addition.
๐พ fab ยท 2025-03-12 at 04:12:
@skyjake BTW: I saw you're using eNom as a registrar. They seem to support DNSSEC but it has to be done manually, which can be hard and tricky. I don't know which registrars do this automatically, but ovh.com does: You just add a normal DNS record (A for example, but TLSA aswell) and it's automatically signed with a RRSIG record. I can only recommend them.
๐ฒ tomasino ยท 2025-03-21 at 02:00:
I keep meaning to gemlog about this, but I made a proof of concept client implementation for DANE in rust. https://github.com/jamestomasino/gemini-rust-tlsa
๐ฌ sy ยท 2025-03-21 at 08:10:
@tomasino Querying TLSA records just during the TLS handshake makes the process more performant. That way TLS connection itself can be sped up significantly.
Also, do you have any comments on this?
โ Trust algorithm suggestion for augmenting TOFU with DANE
Original Post
DANE and DNSSEC adoption is still low, but I agree it would "solve" the TOFU Gemini Issue / CC @skyjake [gemini link] DANE and TLS