Hey, > The majority of deployments do not have DNSSEC in place.
Chicken-egg reasoning is killing for advancing the Internet. However, the situation is not as grim as you say: Servers increasingly run under DNSSEC-supportive domains. Clients can easily incorporate DNSSEC-aware resolver libraries such as libunbound or libgetdns. > So some name check for TLS certs > are strictly required for preventing MITM attack. That has merits all on its own, agreed. Anyone working on it yet? Until then, I fear DANE is all we've got. > IMO DNSSEC/DANE is not of much use for LDAP with TLS. We disagree on that, but there is no reason to make an either/or choice between the approaches. -Rick
