| ▲ | JackSlateur 3 days ago | |||||||
No they should not DANE is the way (https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na...) But no browser have support for it, so .. :/ | ||||||||
| ▲ | talideon 2 days ago | parent [-] | |||||||
Much as I like the idea of DANE, it solves nothing by itself and you need to sign the zone from tampering. Right now, the dominant way to do that is DNSSEC, though DNSCurve is a possible alternative, even if it doesn't solve the exact same problem. For DANE to be useful, you'd first need to get that set up on the domain in question, and the effort to get that working is far, far from trivial, and even then, the process is so error prone and brittle that you can easily end up making a whole zone unusable. Further, all you've done is replace one authority (the CA authority) with another one (the zone authority, and thus your domain registrar and the domain registry). | ||||||||
| ||||||||