As soon as everyone signs their zones with DNNSEC, we can implement DANE to use self-signed certificates safely, and all our problems will go away, world peace will be achieved, and food will taste better.
I still don’t understand the resistance to DNSSEC. It’s just the right solution to the problem (or something like it is). Most of the arguments I’ve seen against it are just “the governments and three letter agencies control the TLDs!!” which like… Sure. But even with the usual CA infrastructure all of the trust depends upon the TLDs anyway. Like… If you are a TLD and control the root DNS servers you can obviously redirect any domain to wherever you want and get a LetsEncrypt certificate for any domain under the TLD anyway? Maybe somebody would notice, but it’s probably just as likely that somebody would notice them messing around with DNSSEC (and then there would even be cryptographic proof of foul play?)
As soon as everyone signs their zones with DNNSEC, we can implement DANE to use self-signed certificates safely, and all our problems will go away, world peace will be achieved, and food will taste better.
Will my cock grow a bit, too?
Yes, and the RRSIG record will prove that it hasn’t been tampered with.
I still don’t understand the resistance to DNSSEC. It’s just the right solution to the problem (or something like it is). Most of the arguments I’ve seen against it are just “the governments and three letter agencies control the TLDs!!” which like… Sure. But even with the usual CA infrastructure all of the trust depends upon the TLDs anyway. Like… If you are a TLD and control the root DNS servers you can obviously redirect any domain to wherever you want and get a LetsEncrypt certificate for any domain under the TLD anyway? Maybe somebody would notice, but it’s probably just as likely that somebody would notice them messing around with DNSSEC (and then there would even be cryptographic proof of foul play?)