[caskance]

The whole concept of certificates in the first place relies on your ability to keep the private key secret. You know what you really have no recourse to? The police coming when you are asleep and "interrogating" you until you give them access to the key.

[tptacek]

I feel like I'm trying to give you detailed technical answers, and that your responses are mostly about abstractions. I'm not thinking about DNSSEC abstractly. I am concerned with its specifics, which I have studied for a long time and am convinced will harm the Internet.

That's the nicest way I can say that your response to what I just said seems like a non sequitur. I just explained what I meant by recourse. I'm sorry, but I think you're wrong.

[takeda]

You can make your DNS server ignore root certificate and use anchors stored locally for specific TLD.

If then you contact a TLD that's owned by 3rd party you essentially trusting whoever owns that TLD. For example .google is owned by Google, so whatever is under it is under their full control.

[tptacek]

"DNSSEC is fine, as long as we all give up on .COM". Ok.

[caskance]

One of the flaws about talking with an overloaded term like "security". If even abstractly, something does not work, what's the point of arguing about its technical details?

As you said before, DNSSEC is fine if you concede .com to the US government. This has already happened, we're just putting it in writing.

[tptacek]

No, we have not already conceded TLS keys for sites in .COM to the USG.

[caskance]

Instead, the current CA system means we've conceded all TLS.