I recently had the occasion to attend a meeting of a body recommending standards for the Dutch government. (Serving) DNSSEC has been on their "use or explain"-list for well over a year (and the Netherlands apparently leads worldwide DNSSEC adoption.) At the meeting, the other attendees expressed their sincere regret that the DANE proposal, although a great idea, was still too immature.
As you probably know, DANE says that you "MUST" implement "trust this certificate, no matter what any CA says" over DNSSEC; combined with the fact that DNSSEC servers usually hold the signing keys online (NSEC3), implementing DANE is significantly less secure than just trusting the CA's. In fact, the Netherlands put quite a bit of effort into a government PKI infrastructure after our previous CA (DigiNotar) got pwned; it's not clear that requiring e.g. municipal system administrators to handle their own cryptographic keys is an improvement over what we have now.
Which is to say, don't discount well-meaning public servants; "given enough thrust, pigs can (temporarily) reach 6% of cruising altitude." </snark> [1,2]
I recently had the occasion to attend a meeting of a body recommending standards for the Dutch government. (Serving) DNSSEC has been on their "use or explain"-list for well over a year (and the Netherlands apparently leads worldwide DNSSEC adoption.) At the meeting, the other attendees expressed their sincere regret that the DANE proposal, although a great idea, was still too immature.
As you probably know, DANE says that you "MUST" implement "trust this certificate, no matter what any CA says" over DNSSEC; combined with the fact that DNSSEC servers usually hold the signing keys online (NSEC3), implementing DANE is significantly less secure than just trusting the CA's. In fact, the Netherlands put quite a bit of effort into a government PKI infrastructure after our previous CA (DigiNotar) got pwned; it's not clear that requiring e.g. municipal system administrators to handle their own cryptographic keys is an improvement over what we have now.
Which is to say, don't discount well-meaning public servants; "given enough thrust, pigs can (temporarily) reach 6% of cruising altitude." </snark> [1,2]
[1] https://tools.ietf.org/html/rfc1925
[2] http://www.networkworld.com/news/2012/092412-ipv6-traffic-26...