I have doubts we really need DNSSEC. Particularly since it does not look like major browsers will support it anytime soon.biolizard89 wrote:It will, once browsers support the TLSA DNS record. So far no major browsers support it (Chromium used to support it, but then removed support for reasons that I think are faulty). At the moment I'm using a Mozilla API that gives us what we need, but it requires installing a browser extension. I'm pretty sure it will work with any Mozilla-based software, including Firefox/Thunderbird/Seamonkey/TorBrowser, but I've only tested in Firefox.phelix wrote:If I understand correctly this is your plan for TLS support. Does it work with popular browser out of the box?biolizard89 wrote:Client software that supports TLS fingerprints specified by DNS, only accepts them if they're secured by DNSSEC (AD=1). It's pretty easy to do this for Namecoin, by generating a user-specific DNSSEC key, signing all .bit records with it, and adding that key to the Unbound trust store. Python doesn't have any library for this.phelix wrote:Could you elaborate on your plans with DNSSEC?biolizard89 wrote: Well, we need Unbound and madns anyway since we need interoperability with client software that supports DNSSEC, and there aren't any native Python libraries that support DNSSEC.
Also there is criticism: http://sockpuppet.org/blog/2015/01/15/against-dnssec/
E.g. tor browser and i2p support seem to benefit us way more.