undefined | Better HN

story

0 pointstptacek11y ago0 comments

Seriously? I'm surprised to see you of all people write that. No DNSSEC is a feature, not a bug.

0 comments

Care to elaborate on DNSSEC? I've been interested in seeing wider adoption of DNSSEC for things like DANE.

DANE is a replacement for the CA system that effectively cedes cryptographic control of most of the Internet to world governments.

danyork11y ago

No... DANE doesn't cede control to world governments.

<insert-standard-many-hundred-line-exchange-between-you-and-I-that-has-happened-in-other-HN-threads-here>

DANE can work perfectly fine with the existing CA system to provide another way of verifying that the correct TLS certificate (or CA) is being used. Or... it can be used with a completely different trust anchor or TLS certificate that you control. Your choice.

But you and I will just have to disagree on this topic. Your dislike of DNSSEC is well-known, as is my support for it.

tptacekOP11y ago

The USG controls .com, .net, and .org. The government of Libya controls .ly. DNSSEC puts cryptographic key material under the influence of the DNS. "No it doesn't" isn't a rebuttal to that.

1 more reply

ryanlol11y ago

Asking the compromised DNS server if it's been compromised is a really good way to find out if it's been compromised.

j / k navigate · click thread line to collapse

0 comments

ademarre11y ago

Care to elaborate on DNSSEC? I've been interested in seeing wider adoption of DNSSEC for things like DANE.

tptacekOP11y ago

DANE is a replacement for the CA system that effectively cedes cryptographic control of most of the Internet to world governments.

danyork11y ago

No... DANE doesn't cede control to world governments.

<insert-standard-many-hundred-line-exchange-between-you-and-I-that-has-happened-in-other-HN-threads-here>

But you and I will just have to disagree on this topic. Your dislike of DNSSEC is well-known, as is my support for it.

tptacekOP11y ago

The USG controls .com, .net, and .org. The government of Libya controls .ly. DNSSEC puts cryptographic key material under the influence of the DNS. "No it doesn't" isn't a rebuttal to that.

1 more reply

ryanlol11y ago

Asking the compromised DNS server if it's been compromised is a really good way to find out if it's been compromised.

j / k navigate · click thread line to collapse