Maintained by: NLnet Labs

[Unbound-users] local control socket; www.unbound.net certificate

Leen Besselink
Wed Dec 1 01:12:32 CET 2010


Hello Wouter,
> I apologize.  Most people would need to add an exception anyway for
> CAcert, hence we did not notice this domain-name oversight in the
> certificate.  I hope we can move onto a DNSSEC-secured CERT RR in the
> near future :-)
>

CAcert is a really interesting concept and judging by their news page,
their even seems to be some progress again.

But DNSSEC has much more potential, especially because the root is
already signed and because DNS delegates authority.

Chromium does have the --enable-dnssec-certs option so that is a start,
but it's experimental.

I think OpenSSH is the only application at this point which supports the
dnssec and in this case with SSHFP-RR.

But I do wonder when we can really start to see some kind of widespread
deployment other then to fight something like the "Kaminsky attack".

DNSSEC can be used for so much more.

> Best regards,
>    Wouter