Comment by ysleepy - Hacker Neue

ysleepy Apr 17, 2025 parent

That only works for high profile domains, a CA can just issue a cert, log it to CT and if asked claim they got some DNS response from the authoritative server. Then it's a he said she said problem.

Or is DNSSEC required for DV issuance? If it is, then we already rely on a trustworthy TLD.

I'm not saying there isn't some benefit in the implicit key mgmt oversight of CAs, but as an alternative to DV certs, just putting a pubkey in dnssec seems like a low effort win.

It's been a long time since I've done much of this though, so take my gut feeling with a grain of salt.

tptacek Apr 17, 2025

DNSSEC isn't required by anything, because almost nobody uses it.

ryao Apr 21, 2025

I deploy DNSSEC on all domains I administer.

tptacek Apr 21, 2025

This isn't a contest of two vibes, one pro-DNSSEC and one anti-. You can just download the Tranco list and run a for loop over it checking for DS records. DNSSEC adoption in North America has actually fallen sharply in North America since 2023 (though it's starting to tick back up again) and every chart you'll find shows a pronounced plateauing effect, across all TLDs --- damning because the point at which the plateau flattens is such a low percentage.

ryao Apr 22, 2025

Is that because people are uninformed or just do not care?

tptacek Apr 30, 2025

How about option 3: they care deeply and are making a considered choice.

This item has no comments currently.