Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
indolering 7 hours ago

Bad arguments and FUD when it was being rolled out. Sysadmins also don't want to touch working infra code, you can see that with AWS lagging on IPv6.

tptacek 7 hours ago | parent [-]

Who's the most reputable cryptographer you can think of who publicly supports DNSSEC? We'd like to interview them on SCW.

indolering 6 hours ago | parent [-]

You are going to complain that the key sizes are too small despite the guidelines being updated a long time ago. Then you will argue adoption of larger keys sizes is to low. Then you will argue that we should just not sign domain name authority delegation records at all (i.e. DNSSEC) and that we should abandon shoring up authenticated DNS because there is no adoption.

You have any cryptographers that are satisfied with unauthenticated name server checks?

tptacek 6 hours ago | parent [-]

Yes? Lots of them? But also: you didn't answer my question.

indolering 5 hours ago | parent [-]

Okay, but after this I have to go back to work.

You got a point: 1k isn't great and of course mainstream cryptographers will advocate for higher. That doesn't change that it's still acceptable within the existing security model nor that better alternatives are available. The cryptographic strength of DNSSEC isn't a limiting factor that fatally dooms the whole project. We have to upgrade the crypto used in large-scale infrastructure all the time!

And yes, uptake of better crypto is poor but I find chicken-and-egg arguments disingenuous when coming from someone who zealously advocates to make it worse. Furthermore, your alternative is no signing of DNS records. Find me a cryptographer who thinks no PKI is a better alternative. I know DJB griped about DNSSEC when proposing DNSCurve, which protects the privacy of the payload but not the intergrity of the payload.

3eb7988a1663 an hour ago | parent | next [-]

Is this a bot gone rogue? Parent asked for a person, and you are shadow-boxing with unasked questions.

gzread an hour ago | parent [-]

The question was "can you find me some reputable cryptographers that support your position?" which is just ad hominem and should be ignored as such, except it does indicate that the person asking it doesn't have any better argument than ad hominem.

tptacek 5 hours ago | parent | prev [-]

Sorry, but I asked who's the most reputable cryptographer you can think of who publicly supports DNSSEC? I asked because we'd like to interview them on SCW.

indolering 2 hours ago | parent [-]

More rhetorical dunking instead of engaging with the substantive technical issues. I'm done.

tptacek 2 hours ago | parent [-]

That is a weird answer to a very simple question but I'll take that as "I can't think of any". Someone else can answer instead.