For DNSSEC and Why DANE Is Needed

Thank you for sharing about DANE, I never heard of it before. It&#x27;s an interesting alternative to PKI.<p>In my devops engineering team, a great deal of our time is passed managing and troubleshooting certificates setup (either getting them from letsencrypt, buying them from real CAs, setup local hashicorp vault as a local CA, or sharing&#x2F;installing self-signed certificates).<p>By being able to generate &quot;self-signed&quot; cert ourselves and just having to setup a DNS record instead of having to have to request everyone to install it, it could free a great deal of our time. (If I understood it well)

Waiting on Route53 to offer TLSA records so I can implement DANE across the domains I’m responsible for.

DANE would be a huge improvement toward enabling TLS for resource-constrained appliance-like devices. Right now, getting TLS on a BMC or an IoT-like device or a network switch or anything similar is utterly miserable. With DANE, the device could serve up a self-signed certificate with no expiration (what’s the point of expiring it anyway?) and the DNS zone could make it trusted using DANE.

Dane seems cool<p>But nobody supports it