I’ve been an early adopter of DNSSEC, dating all the way back to the “.nl.nl” experiment in the late nineties. My interest in DNSSEC came from the desire to have a method to distribute public keys securely to increase the deployment of openswan (then “freeS/WAN”).
With the increasing security nightmare of X.509 and compromised Certificate Authorities (4 compromises in 2011 alone), I became a very active member of the DANE working group at the IETF that strives to make it possible to authenticate secure web servers using DNSSEC. If you want to know more, read the working group document “Using secure DNS to associate certificates with domain names for TLS“. To further facilitate this process and obsoleting X.509 containers, I wrote a draft together with John Gilmore and others to allow a new ‘certificate type’ that only contains bare public keys, “TLS out-of-band public key validation” that is now an IETF TLS working group item.
Thanks for your work on DANE.
I’ve included your changes to the Extended DNSSEC Validator plugin into my changes and offered it to Danny Groenewegen. He got it past the Mozilla reviewers.
The plugin now validates Usage values 2 and 3. I hope I did everything correct.