2011- 09-07

DNSSEC Update

September 7, 2011

It's running but the lack of secure secondaries is definitely a problem.

There's a more advanced Firefox dnssec validator add-on here, it has a mechanism based on the DANE drafts to stash an ssl cert fingerprint into dns. I've put the records in the pointless.net zone, but not tried the validator, it's for Firefox 4 only.

Chrome has something similar but it appears to be the opposite way round - you store the dnssec chain of trust in your sites ssl cert and chrome can verify it, i'm not sure if that possible with the CACert certificate I'm using.

---