[buffrr]

I think what they meant is that with decentralized DNS, it is possible to replace certificate authorities by using DNSSEC + DANE RFC6698[0], but I agree the way it's mentioned is confusing.

[0] https://tools.ietf.org/html/rfc6698

[jrochkind1]

ok. obviously you can replace cert authorities with those systems on present DNS too, it doesn't require a "(more) decentralized DNS", right?

Replacing cert authorities with something DNS-based (or alternative decentralized DNS based) doesn't actually seem relevant to the problem they are highlighting, of sci-hub's DNS records being removed by private or government actors making it harder to find sci-hub... no?

[buffrr]

To answer your first question, with the present DNS, If you use DANE, the trust is centralized since you have to trust the root DNS keys and the registrar (imo still better than trusting a large number of CAs. letsencrypt already relies on DNS to issue certificates).

[KirillPanov]

> with decentralized DNS, it is possible to replace certificate authorities by using DNSSEC

In what sense is DNSSEC decentralized? IMHO signing the root zone is about the most-centralizing thing that has ever happened to the Internet.

[tasuki]

That's the thing Handshake is trying to address: with the root zone being on the (decentralized) blockchain, each TLD owner has full control over issuing the certificates for that domain using DNSSEC+DANE. The idea was that this would allow us to get rid of both the centralized root zone and CAs.

[saargrin]

wouldnt that blockchain grow exponentially ?

[tasuki]

Why exponentially? Seems like linear growth to me.

[tptacek]

It is exactly that.