> The DNSSEC stapled data is embedded in an X.509 certificate (as opposed to extending TLS or using a different certificate format) because every HTTPS server will take an X.509 certificate as an opaque blob and it Just Works. All the other possiblilies introduce significant barriers to adoption.
It's not in the CERT record. The DNSSEC signature chain is carried in the SSL cert.
The other post linked from this entry notes that this is based on Dan Kaminsky's DNSSEC presentation. Dan has a pretty interesting line of articles describing doing this kind of stuff in DNSSEC starting here: http://dankaminsky.com/2010/12/13/dnssec-ch1/
5 comments
[ 3.6 ms ] story [ 21.1 ms ] threadimperialviolet.org has no CERT record
Still LOLing
It's not in the CERT record. The DNSSEC signature chain is carried in the SSL cert.