Hacker News new | ask | show | jobs
by dane-pgp 2218 days ago
A better argument against the preposterous claim that DNSSEC is "government-controlled" (and one that doesn't rely on blockchains, which are controversial in their own right), is that with DNSSEC you can choose which government (i.e. ccTLD) your domain is under, or choose one of the many generic TLDs.

The web PKI, by contrast, requires users to trust a bunch of CAs, any one of which could have been compromised by a government and can issue a certificate for your domain. Also, if a government can compromise your DNS records, they can also be granted domain-validated certificates for those domains, so the web PKI is not an improvement.

Anyway, if your threat model is that every single country in the world is willing to subvert the security of their own DNS hierarchy specifically to attack you, then the limitations of DNSSEC are the least of your worries.
2 comments
tptacek 2218 days ago
With DNSSEC, when it becomes instantly clear that the United States Government controls .COM, Google can simply leave .COM, and tell every Google user in the United States never to use the tainted GOOGLE.COM domain, and all the users will stop using .COM and start using the new Google domain name, because that is how things work in the real world.
link
dane-pgp 2218 days ago
Yeah, imagine the hours of productivity that will be lost as people in the US update their link to Google in their IE6 "Favorites" list, because that's how things work in the real world.

In contrast, when it becomes clear that the United States Government controls multiple certificate authorities, that won't be a problem for any websites.

link
Avamander 2218 days ago
With the CT system I can monitor the CA's issuance, with DNSSEC I can't retroactively monitor if someone has changed the DANE keys and intercepted traffic.
link
dane-pgp 2218 days ago
True, DNSSEC Transparency is not as developed a technology as Certificate Transparency. There has been experimental deployment of such a system[0] but to give higher assurance there is a small addition to the DNS data that needs to be adopted first[1], which is still going through the IETF process.

[0] https://twitter.com/ln4711/status/754516056878772224

[1] https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-deleg...

link
tptacek 2218 days ago
Certificate Transparency, by contrast, exists.
link
dane-pgp 2218 days ago
There was a time when Certificate Transparency didn't exist, and people didn't propose throwing away the web PKI because of that.
link
Avamander 2217 days ago
Yeah, because Web PKI existed, DNSSEC has yet to gather any meaningful good deployment. It's not hard to throw away something that doesn't exist :P
link