[moquilabs]

In the FAQ of this article it says:

> What’s the alternative to DNSSEC? > Do nothing. The DNS does not urgently need to be secured.

> All effective security on the Internet assumes that DNS lookups are unsafe.

This is not true, our entire infrastructure of ACME certificate authorities like let's encrypt are fundamentally dependent on DNS: https://letsencrypt.org/how-it-works/#domain-validation

Then TLS verifies the domain with the private key the certificate authority issues...

How can you trust the s (secure) in https then??

Can anyone provide an example of "effective security on the Internet"?

[tptacek]

Virtually none of the most important sites on the Internet are signed. When's the last time one was maliciously misissued?

[moquilabs]

Fair point.

I'm just looking for a way to cryptographically prove that my website is from me in a way that browsers will accept.

This means the whole chain from ICANN -> Verisign -> registrar -> dns -> IP -> my server.

[tptacek]

1. Browsers briefly tried adopting DANE and gave up on it.

2. DNS is the wrong level of networking abstraction to do this kind of policy enforcement at, because DNS isn't plumbed for warnings and error reporting; when DNSSEC fails, whole zones simply fall of the Internet (for people who validate) as if they weren't there at all. It's the worst possible failure mode.

3. The thing you say you want can't be had with DNSSEC. You don't get "the whole chain from ICANN to your server". Any of the parent zone operators above you can decide to defect, for your zone specifically, and (particularly for state-level adversaries) for particular targets resolving your zones, without you ever knowing about it.

[inigyou]

If any of the parent zones defects, they can trivially misissue a certificate. Having separate CAs that ddo whatever DNS says doesn't improve anything.