diff --git a/README.md b/README.md index 5470531..34a582e 100644 --- a/README.md +++ b/README.md @@ -8,17 +8,6 @@ Let's DANE enables the use of [DANE (DNS Based Authentication of Named Entities)](https://tools.ietf.org/html/rfc6698) in browsers and other apps using a lightweight proxy. It currently supports DANE-EE and works with self-signed certificates. -

-
-
-Let's DANE Handshake -

- -

-This domain is DNSSEC signed with ed25519 in an experimental decentralized alternate root zone, handshake.org. -

-

-

Let's DANE verified DNSSEC
@@ -70,54 +59,6 @@ If letsdane is compiled with libunbound, all queries are DNSSEC validated with a Use `letsdane -help` to see command line options. -## Using with Handshake root zone - -Currently, there are two ways to use letsdane with Handshake: - -### 1. Using hsd/hnsd (recommended) - -You can use [hsd](https://github.com/handshake-org/hsd) or [hnsd](https://github.com/handshake-org/hnsd). Specify address:port of the handshake resolver. You must have it local on your machine or use sig0. - -Optionally use `-skip-icann` to skip TLSA lookups for ICANN tlds and prevent the generated CA from issuing certificates for ICANN tlds (recommended hnsd is still experimental and also this will not break some legacy domains using poorly configured nameservers). - -Assuming hnsd is listening on '127.0.0.1:5350' - - letsdane -r 127.0.0.1:5350 -skip-dnssec -skip-icann - -- Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png)) - -- Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location. - -If you use hsd, you can optionally use sig0 by specifying the public key `public_key@ip:port` - - letsdane -r aj7bjss4ae6hd3kdxzl4f6klirzla377uifxu5mnzczzk2v7p76ek@192.168.1.22:5350 -skip-icann - -Firefox creates a separate CA store for each profile, so it's recommended to use that if you want the CA to only be trusted by a specific profile. - -### 2. Using DoH - -You can use any DoH resolver **that you trust**. The resolver must support Handshake if you want Handshake domains to work. - -``` -letsdane -r https://easyhandshake.com:8053 -skip-dnssec -skip-icann -``` - -- Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png)) - -- Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location. - -### DANE-EE Sites - -- FreeBSD: -- Tor Project: - -handshake - -- -- -- -- - ### DANE Tools - danectl: (helper tool for certbot & letsencrypt)