Hacker News new | ask | show | jobs
by pocksuppet 44 days ago
DNS is a centralization risk, yes. Somehow we've decided this is fine. DNSSEC isn't the only issue - your TLD's nameservers could also be offline, or censored in your country.
3 comments
skywhopper 44 days ago
DNS is barely centralized. Is there an alternative global name lookup system that is less centralized without even worse downsides?
link
miki123211 43 days ago
The blockchain.

The only thing a blockchain is good for is achieving decentralized consensus on what value a key points to, which is what DNS is.

An alternative way of looking at this is that acquiring domains must be somewhat expensive by definition; either you enforce it at the system level, or you make it free, but then somebody will inevitably grab all the interesting ones and re-sell them to others. A blockchain is the only way to make decentralized financial infrastructure viable.

link
fc417fc802 44 days ago
GNS is the obvious response here, in addition to the various blockchain based solutions. Nothing that enjoys widespread support or mindshare unfortunately.

Even the current centralized ICANN flavor could be substantially more resilient if it instead handed out key fingerprints and semi-permanent addresses when queried. That way it would only ever need to be used as a fallback when the previously queried information failed to resolve.

link
account42 43 days ago
GP said it was a risk (and it is), not that there are better alternatives. Not all risks can be eliminated easily but you should still be aware of them.
link
pocksuppet 44 days ago
BGP, but the names in question are limited to 128 bits, of which at most 48 will be looked up, and you don't get to choose which 48 bits are assigned to you.
link
greatgib 44 days ago
Normally it should not have been, with cache and all, but that was the past...

Think about what would happen the day that letsencrypt is borken for whatever reason technical or like having a retarded US leader and being located in the wrong country. Taken into account the push of letsencrypt with major web browsers to restrict certificate validities for short periods like only a few days...

link
muvlon 44 days ago
Let's Encrypt has to be down for days before people begin to feel the pain. DNS is very different, it breaks stuff immediately everywhere.
link
tharkun__ 44 days ago
No it doesn't. DNS breaks as soon as TTLs run out. It's your choice to set them so low that stuff breaks immediately.
link
__float 44 days ago
What do you recommend then? DNS doesn't usually change that often, but if you mess it up when it does, you're in for some pain if TTLs are high!
link
htgb 44 days ago
Not the one you're replying to, but I'd keep TTL high normally and lower it one TTL ahead of a planned change.
link
kenniskrag 43 days ago
I would define high as "double time needed to fix a dns issue" and account for weekends
link
stouset 44 days ago
This is the way.
link
account42 43 days ago
Unfortunately you can't set DNS TTL arbitrarily high (or low) without some resolvers ignoring your suggestion and using arbitrary values.
link
Arnt 43 days ago
Most historical outages lasted minutes or hours. One arguably lasted much longer, when someone lost control of their servers due to civil war.

I haven't followed this closely, but have there been any... shall we say plain outages longer than six hours? That's not an outrageous TTL. Or a day.

link
ale42 43 days ago
This assumes that the host name you want has been recently queried. If it's not cached, good luck...
link
tharkun__ 43 days ago
TL;DR: If it's not cached, does it really matter if it's offline for some time?

Long version:

If you're so popular all around that you really really want a very very short TTL, people will query all the time from all the places that "count", won't they? So it's gonna be cached.

If you're not so popular or not all around, what does it matter even if you had a very very short TTL? You're not loosing much.

link
cyberax 44 days ago
Not really? .com and .net are still up

If Let's Encrypt goes down, half of the Internet will become inaccessible in a week.

link
akerl_ 44 days ago
Presumably if LetsEncrypt goes down and stays down for a week, the sites that go down are the ones that see that their CA went down and at no point in the week take the option to get certs from a different CA?
link
bluejekyll 44 days ago
I guarantee that there are a ton of sites out there not monitoring their certs.
link
throw0101c 43 days ago
Including Microsoft, Starlink, Github, Cisco:

* https://www.keyfactor.com/blog/2023s-biggest-certificate-out...

link
gpvos 44 days ago
"A ton" being a misspelling of "the vast, vast majority".
link
fragmede 44 days ago
Are there alternative CAs that are anywhere as easy to deal with as Lets encrypt?
link
kenniskrag 43 days ago
acme.sh supports multiple CAs there is even a RFC for CAs that describe the api.
link
sllabres 44 days ago
So it seems we need something like this [1] for IT infrastructure? ;)

[1] https://outerspaceinstitute.ca/crashclock/

link