[AlyssaRowan]

The dealbreaker for us with NameCheap/eNom is simple: still no DNSSEC.

It's been how many years now? And all they say is "we're working on it" and have no ETA. So we moved most things to Gandi.

Feels good having no GoDaddy, however.

[tptacek]

Seriously? I'm surprised to see you of all people write that. No DNSSEC is a feature, not a bug.

[ademarre]

Care to elaborate on DNSSEC? I've been interested in seeing wider adoption of DNSSEC for things like DANE.

[tptacek]

DANE is a replacement for the CA system that effectively cedes cryptographic control of most of the Internet to world governments.

[danyork]

No... DANE doesn't cede control to world governments.

<insert-standard-many-hundred-line-exchange-between-you-and-I-that-has-happened-in-other-HN-threads-here>

DANE can work perfectly fine with the existing CA system to provide another way of verifying that the correct TLS certificate (or CA) is being used. Or... it can be used with a completely different trust anchor or TLS certificate that you control. Your choice.

But you and I will just have to disagree on this topic. Your dislike of DNSSEC is well-known, as is my support for it.

[tptacek]

The USG controls .com, .net, and .org. The government of Libya controls .ly. DNSSEC puts cryptographic key material under the influence of the DNS. "No it doesn't" isn't a rebuttal to that.

[danyork]

But Thomas ... I still don't understand the attack that you say can be made against DNSSEC-signed domains. Here's what I see, if I have a .COM domain:

1. I sign my domains and generate a DS record.

2. I upload the DS record to my registrar who passes the DS record up to the .COM registry.

Now, when someone does DNSSEC validation on my DNS records, they wind up doing this process:

1. Going through the DNS process to get my DNS records as well as the DNSKEY and RRSIGs.

2. Following the chain of DS records up to the .COM registry and on up to the root of DNS... being able to validate along the way the integrity of the records.

Where do world governments get to interfere here?

If a govt were able to manipulate the TLD registry the best they could do would be to point my domain to some other name servers that weren't mine... is THAT the attack you see? I seriously would like to understand.

[ryanlol]

Asking the compromised DNS server if it's been compromised is a really good way to find out if it's been compromised.

[danyork]

I agree with you AlyssaRowan. I also moved some domains away from NameCheap/eNom when they didn't provide DNSSEC support.

I did move a couple of domains to Google Domains. While they do not provide DNSSEC in their DNS hosting, they do support DNSSEC records (DS) if you host your domains somewhere else that supports DNSSEC signing.

[ryanlol]

Why bother? DNSSEC is hardly useful in real life anyway.