So, how do you suggest to replace DNSSEC then, assuming that your enemy is a nat... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		kuschku on Sept 29, 2017 \| parent \| context \| favorite \| on: DNSSEC KSK Rollover Postponed So, how do you suggest to replace DNSSEC then, assuming that your enemy is a nation state intercepting your DNS queries and responding with NSA QUANTUM before the legitimate server does?

wglb on Sept 29, 2017 [–]

Replace it with nothing.

kuschku on Sept 30, 2017 | [–]

Great, then my entire TLS setup is useless, and I can just use plaintext HTTP.

The whole point is that at least CAs enforce DNSSEC, so no one can get a certificate for my site except for me.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact