[Cryptography] Against against DNS (Re: New SSL/TLS certs to each live no longer than 47) days by 2029
Bill Woodcock
woody at pch.net
Wed Apr 23 20:17:24 EDT 2025
>>> If you haven't read Tom Ptacek's "Against DNS"
>>> <https://sockpuppet.org/blog/2015/01/15/against-dnssec/>, you should.
>>> While not every one of his comments are things everyone agrees with,
>>> the points are all well-argued.
>>
>> That's a decade old and out of date. I've had this argument with Thomas
>> on HN several times. Is there a more up to date version of this?
I’m not going to bother re-hashing specifics, but this all fundamentally boils down to two camps: one which says “if a tool isn’t PERFECT, then NO ONE SHOULD BE ALLOWED TO USE IT” versus the other camp which says “no tool is perfect, but we need building-blocks, and with enough imperfect building blocks, we may be able to cobble together something that’s better than nothing.” I’m very much in the latter camp.
Trying to make _everybody_ secure by educating everybody doesn’t scale, and trying to make everybody secure by not allowing people to use imperfect tools leaves everybody insecure. Some of us actually do need access to the best tools we can get our hands on. So I care a lot about DNSSEC, because it’s something I can build a reasonably secure system with, whereas I can’t build a secure system using anything that trusts CA certs. Whether other people actually do build secure systems or not is their problem, not mine.
-Bill
More information about the cryptography
mailing list