[Cryptography] Against against DNS (Re: New SSL/TLS certs to each live no longer than 47) days by 2029
Nico Williams
nico at cryptonector.com
Sat Apr 26 18:06:13 EDT 2025
On Sat, Apr 26, 2025 at 10:00:57AM -0700, Christian Huitema wrote:
> [...]. Also, there is a high correlation between
> the "authoritative DNS" for a domain and the "CDN server" for that domain.
> See for example https://ithi.research.icann.org/graph-m9.html, which shows
> that the most popular DNS servers for big domains are Cloudflare, AWS,
> Google and Akamai. If you are making a DoH connection to Cloudflare and the
> authoritative server for the domain is also Cloudflare, DNSSEC does not
> bring a lot of value...
Sure, but the whole world isn't hosted on CDNs. I would have preferred
DJB's model for DNS security because it provided confidentiality, but I
do loke that one can sign RRSets. Ideally we could have gotten both.
More information about the cryptography
mailing list