[wav-part]

> No. You have to trust all the CAs, and the governments that control the DNS.

Not in DNSSEC. .xxx need only trust dnsroot. yyy.xxx need only trust .yyy and dnsroot.

firefox/chrome/etc with support from important orgs with high value names (google.com/bankofamerica.com/etc) would then make sure that dnsroot/.com/etc do not abuse the trust. They have incentive and methods of punishment. There is no legal authority that clients need to map DNS . to existing root keys. A client can map a.b.c to any key it wants.

The risk of gov overreach is same for both tls and DNSSEC. DNSSEC just trusts fewer entities. The only people who benefit from current system, are CAs who are getting $$$ for nothing.

> https://www.imperialviolet.org/2015/01/17/notdane.html

This is orthogonal. Weak Keys are not required or implied characterstic of DNSSEC.

[akerl_]

If browsers start mapping cert trust to something besides the DNS roots... it’s not DNSSEC, it’s something else entirely, it’s “our current system, maybe with some slight tweaks”

[wav-part]

I am not suggesting every client do their own mapping, that is not a naming system at all. There has to be very large consenus for a naming system to be effective. I just pointed that out to show that dns is not under any gov control. Its under a control of an entity that can be punished.

However who gets to have dnsroot is just a value of a config in DNSSEC. The value itself should not be used to criticize DNSSEC cause its changeable.

[akerl_]

How do you punish .com if they misbehave? Move every site off .com?

[wav-part]

No. You just map .com to another key with an agreement that new .com owner pre signs and map existing .com subs the right way. An unaware xxx.com does not need to do anything. As long as its done publically with a bang and enough consensus, disruption should be minimal.

Again this is unavoidable in any system that need trust. Thats why I like PoW DNS.

[tptacek]

Who is "you"? The people we're afraid of manipulating .COM control the DNS. Google can't "map .com to another key". Their option would be to leave .COM; that is the gun DNSSEC would give to the USG to hold against Google's head.

[wav-part]

You is firefox/chrome/etc. Yes you can. The ownership of .com is not as exclusive/protected as .xxx or xxx.com. Thus the firefox/chrome/etc can map it to anyone they feel. Considering so many high value .com subnames, .com can be transferred to neutral party or even dnsroot. USG do not own ".com" string. No one does. Just like ".".

[tptacek]

The linked article is about why you can’t simply trust the DNS roots, even if you were naive enough to want to.

[topranks]

If you can’t trust them then the whole thing crumbles anyway.

All you need to obtain valid TLS certs for any domain is to make a CA think you control the domain. So the CA’s trust in the DNS root is already functioning as the basis of X.509.

[tptacek]

You manifestly can't trust them today, couldn't yesterday, or for the last 30 years, despite the rise of e-commerce and the gradual shift of all applications to the web with its domain-validated WebPKI. Google doesn't DNSSEC sign. Facebook doesn't DNSSEC sign. No major bank I've found DNSSEC signs. AT&T doesn't DNSSEC sign, nor does Verizon. Some part of Comcast does, or did, and the net effect was that DNSSEC errors broke HBO NOW on launch day for Comcast users (and only Comcast users).

Tell me more about how the whole thing crumbles away? Because I'm pretty sure I'm typing into a TEXTAREA on the real HN, and not some facsimile a DNS hacker created to fool me. The Internet seems to be working fine without the government-run PKI you're saying we have to have.