For DNSSEC and Why DANE Is Needed
blog.technitium.comThank you for sharing about DANE, I never heard of it before. It's an interesting alternative to PKI.
In my devops engineering team, a great deal of our time is passed managing and troubleshooting certificates setup (either getting them from letsencrypt, buying them from real CAs, setup local hashicorp vault as a local CA, or sharing/installing self-signed certificates).
By being able to generate "self-signed" cert ourselves and just having to setup a DNS record instead of having to have to request everyone to install it, it could free a great deal of our time. (If I understood it well)
Waiting on Route53 to offer TLSA records so I can implement DANE across the domains I’m responsible for.
DANE would be a huge improvement toward enabling TLS for resource-constrained appliance-like devices. Right now, getting TLS on a BMC or an IoT-like device or a network switch or anything similar is utterly miserable. With DANE, the device could serve up a self-signed certificate with no expiration (what’s the point of expiring it anyway?) and the DNS zone could make it trusted using DANE.
Dane seems cool
But nobody supports it