Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
cosocial.ca is one of the many independent Mastodon servers you can use to participate in the fediverse.
A co-op run social media server for all Canadians. More info at https://blog.cosocial.ca

Administered by:

Server stats:

146
active users

cosocial.ca: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Evan Prodromou

Why isn't the SSL cert for a server a special kind of DNS record?

Jan 25, 2025, 05:16 PM·Public·Phanpy Cosocial
2boosts·8favorites
Public
Evan Prodromou

@selea I don't understand this sentence.

Public
:debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse:

@evan

TLSA (DANE) - RTC 6698.

Storing TLS-cert in DNS is a bad idea and kinda defeats the purpose.
However, the idea with TLSA-record is that owners of the domain can verify the "visitor" that the certificate is valid - DNSSEC required ofcourse.

Postfix already have support for it called DANE, and if I remember correctly - about 0.3% of SMTP-servers online actually implemented it (2019 data)

Public
Space Hobo

@evan I remember pre-ssh systems that used TXT records for public key data used at login. I had some funky proprietary secure telnet that a client used around 1997, and I had to compile some weird program that did a DNS lookup, did some DSA key exchange, and then did a stream cipher from then on using a shared secret. Normal telnet clients then bound to the socket it made somehow and off I went...

Public *
Steve Dinn 🇨🇦

@evan It would make it a pain in the ass to have it automatically renew when it was nearing its expiration. Wait, not everyone uses @letsencrypt ???

Public
Steve Dinn 🇨🇦

@evan @letsencrypt But let's encrypt doesn't have access to your DNS records; it just uses them to verify that you are you, before updating the cert locally.

Public
Erwan 🚄

@evan You can achieve this with the TLSA RR (and then you must use DNSSEC to guarantee - up to a certain kind of certainty - that the genuine DNS answer is returned)

Public
Evan Prodromou

@R1Rail That's interesting! I will see if I can give it a try.

Public
Erwan 🚄

@evan However, I do not know web browsers looking for it. Postfix does for encrypting mail server to mail server communication, when it is properly configured

Public
Suzanne Aldrich (she/her)

@R1Rail @evan The DANE (DNS-based Authentication of Named Entities) standard
1) Relies on DNSSEC which has been really slow to adopt
2) Requires integration on both client and server side
3) Would also require a radical shift by the entire Internet away from the existing PKI based trust model

It’s never going to happen.

Public
Jamie Gaskins

@evan I'm not sure DNS is a good fit for TLS.

I had a look at one of the TLS certs for my Mastodon instance and it's 3562 bytes long in PEM format. In its raw format, it'd probably be ~2700B.

Technically, this can fit in an EDNS0 record, but DNS (mostly) travels over UDP so we have to think about packet loss, of which fragmentation is the most common cause. Smaller payloads, less fragmentation, less packet loss.

Also, you still need to negotiate the rest of TLS with the remote host anyway.

ExploreLive feeds
About