[Cryptography] Against against DNS (Re: New SSL/TLS certs to each live no longer than 47) days by 2029
Tom Mitchell
mitch at niftyegg.com
Mon May 5 00:03:21 EDT 2025
On Thu, Apr 24, 2025 at 3:20 PM Nico Williams <nico at cryptonector.com> wrote:
> On Wed, Apr 23, 2025 at 03:43:01PM -0700, Jon Callas wrote:
> > > That's a decade old and out of date. I've had this argument with
> Thomas
> > > on HN several times. I
> Certainly Apple and Google could choose to make that easy. Perhaps
> third party apps could make it easy.
>
> > Strictly speaking, I do not believe that I could run my own DNS as
> > well as any of the major people (1.1.1.1, 8.8.8.8, and so on) do now.
>
With 1.1.1.1 in the list also look at 1.1.1.2 and 1.1.1.3.
Families and small libraries should load 1.1.1.2 (generally bad reputation
sites) or 1.1.1.3 (bad +porn blocked)
on their gateway NATing DHCP router.
Also look at "pihole" as a local caching resolver (DNS) management tool.
Businesses also need
firewall tools. Firewalls are harder to maintain and cost more than
resolver hacks.
The global internet problem is giant. The traffic to update all
certificates this often is underestimated.
Perhaps a less aggressive change.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250504/2f0c00ca/attachment.htm>
More information about the cryptography
mailing list