[dns-operations] DNSSEC deployment incentives
paul at redbarn.org
Tue Jun 18 22:56:11 UTC 2019
On Tuesday, 18 June 2019 20:48:16 UTC John Levine wrote:
> >>> Why not get some TLSA records going for that server too Bill, if you're
> >>> using TLS?
> Now we get to ponder which is more broken, DNSSEC (and registrar
> account compromises), or the world of CAs.
in that case, there's no useful debate remaining. one trust anchor operated by
a public charity with high transparency is better than 2000+ trust anchors
operated mostly by government intelligence shell companies without
i don't like trust anchors, or internet governance as practiced in the modern
era, or one-egg one-basket designs. however, this time the alternative has
proved itself to be amazingly worse than the worst-case scenario of a single
we must kill off the world's dependency on X.509 CA cert repositories, a-s-a-
p. we had a situation so terrifyingly awful that lets-encrypt was able to make
it even worse, regardless of intentions. let's move on.
More information about the dns-operations