[Cryptography] Against against DNS (Re: New SSL/TLS certs to each live no longer than 47) days by 2029
Bill Woodcock
woody at pch.net
Thu Apr 24 04:11:59 EDT 2025
> On Apr 24, 2025, at 00:15, Ron Garret <ron at flownet.com> wrote:
>> On Apr 23, 2025, at 5:17 PM, Bill Woodcock <woody at pch.net> wrote:
>> So I care a lot about DNSSEC, because it’s something I can build a reasonably secure system with
> How? That's not a rhetorical question, I'm genuinely curious. I get that secure DNS is better than insecure DNS. What I don't get is why you think that secure DNS *by itself* is *better* than CA certs.
If I can get client software that will accept DANE certs and reject CA certs as a category, then I don’t need to worry about bogus CA certs anymore. I control my own DNS infrastructure, and I operate DNS infrastructure for many TLDs. They still depend upon the IANA root cert, but I also control my resolver infrastructure, and I monitor the root cert, so if it (or the DS delegation) go wonky, I can insert one that works for me instead.
The fundamental difference is that in the DNS, I have the tools I need to close holes, by and large. In CA-cert-land, it feels like mostly just crossing fingers and hoping that other people do their jobs.
If I were someone else, the DNS might feel that way too. But I’m not, and as I said, my concern is securing my own systems, not solving all problems for all people. So, DNS works, CAs don’t, for me.
-Bill
More information about the cryptography
mailing list