Hacker News new | ask | show | jobs
by _-___________-_ 2174 days ago
Well, if the system resolver is doing DNSSEC validation, the browser doesn't need to support it. That's how I've had my system set up for years. Unfortunately, macOS and Windows (other than Server) still don't have any DNSSEC support as far as I'm aware. Support is built in to systemd-resolved now though, which I believe is the default resolver on various Linuxes, and unbound is of course available in all major distros.
1 comments
tptacek 2173 days ago
If the goal is to have DNSSEC replace the CAs, then you need DANE, and for DANE to work, browsers have to support it.
link
_-___________-_ 2172 days ago
That can indeed be a goal, but DNSSEC is useful even without DANE.
link
tptacek 2170 days ago
(a) No it can't be, and (b) that's not what this thread was about.
link