[j16sdiz]

DNSSEC is the weakest link here.

It is too fragile (multiple point of failure). It is high volume (=it need be cacheable).

Puting authentication cert in dns sounds good in theory, but we have never get that reliability

[mcpherrinm]

Even without DNSSEC, the CAA record approach can help, as it requires MITMing between the CA and the DNS server, which may be harder in some cases than just MITMing a target site.

There’s some upcoming attempts at transport security for authoritative DNS servers which might help too: https://datatracker.ietf.org/doc/html/draft-hoffman-deleg-se...

[westurner]

Is there a Transport-Secured-Only flag in a DNS spec? How to ensure that a CAA cert fingerprint is not retrieved over unsecured DNS?

Re: DNS security and NTP and Decentralized DNS/PKI with web standards like W3C DID and DID micro-ledgers for record signing:

"Cert Authorities Check for DNSSEC from Today" (2026-03-26) https://news.ycombinator.com/item?id=47401716

[tptacek]

There is not.

[Hizonner]

> It is too fragile (multiple point of failure).

If your DNS isn't working, you're not going to be making connections anyway. And if you can't keep DNSSEC running, you can't keep certs up to date either. DNSSEC is actually much simpler, with fewer failure points, once you set it up.

> It is high volume (=it need be cacheable).

It is. Unlike certificates. And the cache lifetimes are much shorter than typical certificate lifetimes.

[tptacek]

It is self-evidently not correct that companies that can't keep DNSSEC running can't keep certs running. Entire TLDs have fallen off the Internet because DNSSEC has broken. A certificate never took Slack down for half a day. It's just obviously not true.

[Hizonner]

It's amazing what practice and investment can do, even for a fragile system like X.509. Yet certs still break constantly. Like permanently killing people's "perpetual" Microsoft Word licenses in a story posted within hours of this one.