|
|
|
|
|
|
by throw28158916
291 days ago
|
|
|
I think my opinion is based on idea that for connection between my pc/router and dns server certificates PKI is not needed. You can just hardcode/configure public key of dns server and that is it. Similar to wireguard or ssh server. > The project especially lists the problems of TLS. TLS is one of the most understood, tested, and well-defined protocols that can be abstracted away in implementation level. I agree that TLS is understood, tested, used every day etc. I do not agree that you sleep calm at night. For example a few years ago [1] or [2] mozilla removed root CA from firefox for bad behavior. And you can argue everything is working properly because bad behavior was detected and removed but the thing is - you can avoid this group of problems entirely by avoiding PKI in protocol. That is why I like dnscrypt protocol more. Less problems to worry about. You only change hardcoded/configured public key if you change which dns server you are using (not a big deal). You do not have to regularly update router to keep root ca store up-to-date. Do you update your router every month? Because I do not. [1] https://www.feistyduck.com/newsletter/issue_53_certificate_a... [2] https://www.itbrew.com/stories/2022/12/02/mozilla-microsoft-... |
|
|