undefined | Better HN

0 pointsjeroenhd13d ago0 comments

> Even if you aren't "self-hosting", but use a different service for DNS hosting than you registered your domain with, then it can be complicated to coordinate between them

Indeed, you'd need to copy-paste four text fields

> for others, you have to contact customer support, and sometimes pay more.

That's ridiculous, I've never seen any registrar do that. Even if you do choose a terrible registrar, actual DANE rollout in browsers would put pressure on them to get their shit together.

As for DNSSEC validation: validation currently seems to happen between 0 to 95% according to https://stats.labs.apnic.net/dnssec

Obviously, for DANE to work, verification must happen. DANE-enabled browsers will enforce validation, or fall back to regular TLS (with the scary warnings if someone stripped DNSSEC for a DANE server, as the certificate doesn't work any more). On operating systems that don't bother with DNSSEC validation, browsers can still query the necessary keys.

As for performance, DNSSEC does impose extra network traffic, but so does transmitting an intermediate certificate.

0 comments

tptacek13d ago

Hard to square this with the operational history of DNSSEC at some of the best-resourced ops teams in the world.

jeroenhdOP13d ago

If you're stuck with something like AWS and their buggy implementation then you might indeed run into trouble. Luckily, normal DNS servers don't have this issue.

Most people and websites don't have ops teams, though. It's mostly a challenge if you manage your own DNS, which most people don't do.

tptacek12d ago

The point isn't that you're stuck using Route53, it's that large, hypercapable teams, including the one at Route53, have attempted to deploy and manage DNSSEC and failed, indicating that the challenge is not simply "4 lines in a text file".

j / k navigate · click thread line to collapse