Remix clone Hacker News

new | show | ask | jobs Github

▲

Avamander 3 days ago

DNSSEC is just a shittier PKI with CAs that are too big to ever fail.

▲

immibis 3 days ago | parent [-]

It is, but since we rely on DNS anyway, no matter what, and your DNS provider can get a certificate from Let's Encrypt for your site, without asking you, there's merit to combining them. It doesn't add any security to have PKI separate from DNS.

However, we could use some form of Certificate Transparency that would somehow work with DANE.

Also it still protects you from everyone who isn't your DNS provider, so it's valuable if you only need a medium level of security.

▲

Avamander a day ago | parent | next [-]

> It is, but since we rely on DNS anyway, no matter what, and your DNS provider can get a certificate from Let's Encrypt for your site, without asking you, there's merit to combining them.

They can, but they'll also get caught thanks to CT. No such audit infrastructure exists for DANE/DNSSEC.

> It doesn't add any security to have PKI separate from DNS.

One can also get a certificate for an IP addresses.

▲

ryao 2 days ago | parent | prev [-]

There is no need for a certificate from let’s encrypt. DANE lets you put your own self signed certificate into DNS and it should be trusted because DNS is authoritative, although DNSSEC should be required to make it secure.

	▲	tptacek 2 days ago \| parent [-]
		And yet no browser trusts it, and a single-digit percentage of popular zones (from the Tranco list) have signatures; this despite decades of deployment effort. Meanwhile, over 60% of all sites on the Internet have ISRG certificates.