On 2012-06-01, at 12:02, Phil Regnauld wrote:
Right, but it's going to take a little time before most applications validate or even check for TLSA/DANE, although there there is progress.
For sure. I wasn't saying it was quicker. However, if I was betting on which would happen first: (a) four browser vendors deploy DNSSEC validation and N% of users upgrade their browsers and start to enjoy validation, or (b) ISPs across the planet swallow the costs and reputational harm associated with doing so and turn on validation such that N% of users receive pre-validated answers I don't think I'd be putting much money on (b). (And note again that (b) doesn't close the door to DNS poisoning attacks, it just moves the target from the cache to the stub resolver. This is a harder target, but it's still a target.) Joe