[dns-operations] DNSSEC deployment incentives

Paul Vixie paul at redbarn.org
Tue Jun 18 22:56:11 UTC 2019

On Tuesday, 18 June 2019 20:48:16 UTC John Levine wrote:
> >>> Why not get some TLSA records going for that server too Bill, if you're
> >>> using TLS?
> Now we get to ponder which is more broken, DNSSEC (and registrar
> account compromises), or the world of CAs.

in that case, there's no useful debate remaining. one trust anchor operated by 
a public charity with high transparency is better than 2000+ trust anchors 
operated mostly by government intelligence shell companies without 

i don't like trust anchors, or internet governance as practiced in the modern 
era, or one-egg one-basket designs. however, this time the alternative has 
proved itself to be amazingly worse than the worst-case scenario of a single 
trust anchor.

we must kill off the world's dependency on X.509 CA cert repositories, a-s-a-
p. we had a situation so terrifyingly awful that lets-encrypt was able to make 
it even worse, regardless of intentions. let's move on.


More information about the dns-operations mailing list