[anon463637]

These are vague and strawman criticisms that deny reality and that DNS can't solve everything itself.

Who owns which domain will always be centralized if only one group or individual can own a particular name. Having multiple domain name systems creates chaos.

Privacy can be solved on the client-side with VPNs or DNS resolution encrypted proxies (dnscrypt) and private registration (by the owner).

Security (integrity and non-repudiation) already exists in the form of DNSSEC and DANE. It's a Catch-22 to say it's not when it clearly exists. It's imperfect but it does exist.

ICANN was supposed to/should've been a steward in the interests of all people, not just corporations.

You can't replace it with something else and expect a different result. All you're doing is moving problems around without addressing them. Emperor's new clothes won't fix that, sorry.

[CameronNemo]

Fwiw DNSSEC was designed before modern crypto fundamentals were understood. It is a lackluster mechanism, and yet ICANN keeps trying to get people to use it.

[tptacek]

DNSSEC and DANE are dead letters. After 25+ years of standardization effort, virtually no tech companies have adopted them. Its advocates cite bogus metrics like "number of signed zones" without disclosing that the overwhelming majority of those zones are signed automatically by registrars, which is security theater. No mainstream browser supports DANE, the key motivating feature for DNSSEC, and two browsers have introduced and then removed support for it. The major mail providers recently standardized MTA-STS specifically to avoid having to touch DNSSEC.

Stick a fork in DNSSEC.

[silverfox17]

In before "blockchain"