Hacker News new | ask | show | jobs
by Avamander 2218 days ago
With the CT system I can monitor the CA's issuance, with DNSSEC I can't retroactively monitor if someone has changed the DANE keys and intercepted traffic.
1 comments
dane-pgp 2218 days ago
True, DNSSEC Transparency is not as developed a technology as Certificate Transparency. There has been experimental deployment of such a system[0] but to give higher assurance there is a small addition to the DNS data that needs to be adopted first[1], which is still going through the IETF process.

[0] https://twitter.com/ln4711/status/754516056878772224

[1] https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-deleg...

link
tptacek 2218 days ago
Certificate Transparency, by contrast, exists.
link
dane-pgp 2218 days ago
There was a time when Certificate Transparency didn't exist, and people didn't propose throwing away the web PKI because of that.
link
Avamander 2217 days ago
Yeah, because Web PKI existed, DNSSEC has yet to gather any meaningful good deployment. It's not hard to throw away something that doesn't exist :P
link