gnome.org zone should contain TLSA records
Submitted by Allison (desrt)
Assigned to GNOME Web maintainers
Link to original bug (#742185)
Description
gnome.org is properly signed by DNS but it doesn't use DANE TLSA records to pin certificates for the various services. It should do that.
In particular, for mail exchangers, this can be used to prevent downgrades attacks (to plaintext), but it is still useful for https to warn against certificates issued from compromised CAs.
Version: current