|
|
|
|
|
|
by tptacek
4719 days ago
|
|
|
Because replacing a PKI run by companies that the NSA can coerce with a PKI run by the US Government doesn't seem like a good plan? That, along with the litany of reasons why DNSSEC is a terrible design; that it doesn't secure queries from stub resolvers where the need is greatest; that it publishes internal zone names; that it breaks the resolver API and will inevitably create outages; I can go on. (I doubt this is what's held up DANE; rather, the unreliability of DNS compared to hyper-optimized HTTPS/TLS connections is the issue there; browser vendors care about milliseconds.) |
|
|