<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Wed, Apr 23, 2025 at 2:20 PM Nico Williams <<a href="mailto:nico@cryptonector.com">nico@cryptonector.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, Apr 23, 2025 at 12:28:41PM -0700, Jon Callas wrote:<br>
> > What are the downsides to DNSSEC? Both honest and real, and imagined<br>
> > or excuses.<br>
> <br>
> If you haven't read Tom Ptacek's "Against DNS"<br>
> <<a href="https://sockpuppet.org/blog/2015/01/15/against-dnssec/" rel="noreferrer" target="_blank">https://sockpuppet.org/blog/2015/01/15/against-dnssec/</a>>, you should.<br>
> While not every one of his comments are things everyone agrees with,<br>
> the points are all well-argued.</blockquote><div>.....</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
complaint about DNSSEC.<br>
Looking at Thomas' arguments:<br>
<br>
- "DNSSEC is Unnecessary"<br>
</blockquote><div>... </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
- "DNSSEC is a Government-Controlled PKI"<br></blockquote><div>.. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
- "DNSSEC is Cryptographically Weak"<br></blockquote><div>.. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
- "DNSSEC is Expensive To Adopt"<br></blockquote><div>.. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
- "DNSSEC is Expensive To Deploy"<br></blockquote><div>.. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
- "DNSSEC is Incomplete"<br></blockquote><div>... </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
- "DNSSEC is Unsafe"<br></blockquote><div><br></div><div>It seems the problem of expiring a cert is fragile and the <br>"solution" is to make the system even more fragile.<br><br>What if commerce and government sites needed a pair of certificates that expire out<br>of phase with each other. Today I can allow an unsigned side "http" to connect or <br>demand only "https". A pair of lookups requires funny business at two locations.<br><br>Another is to add a layer to always check for expiration or revocation. <br><br>Another is to add a browser data class "retain X,Y,Z" and verify against new.<br><br>On the surface, expiration at 47 days is busy work that will generate false alarms. <br>It needs to be LONGER than a corporation sabbatical or school break or seasonal shut down. <br><br>The Chrome tool HTTPS Everywhere could be extended to always check in multiple ways<br>as per merchant and government policy. i.e. http, https, htpss, https3,,,,,</div><div><br>Bind/DNS could have additional records that can be cached (timer, or never cached) <br>The key to improve is to interlock useful andI modest checks that have reasonable independence. <br><br>Some checks can be expensive but those should be uncommon.<br><br></div><div><br></div><div><br></div></div><div dir="ltr" class="gmail_signature"><div dir="ltr"> T o m M i t c h e l l (on NiftyEgg[.]com )</div></div></div>