This has always seemed like a really silly argument. You're already trusting the US government, VeriSign, and a multitude of other organizations that control CAs, so DANE doesn't make this worse.

It's kind of a moot point, though, since DNSSEC is garbage for other reasons. Certificate transparency logs are the current best effort in this area.

The point is not that DANE doesn't make things worse. The point is that it is not a solution. Originally, DANE was meant as a method to restrict rogue CA's from issuing certificates. The fact that state-actors can still do that after DANE makes DANE a bad solution.

The US Government is and should be the root of trust for US domains (certainly for .us, and de facto that's become the use of .com too). Since the US government can compel any US entity to follow secret orders, if you don't trust the US government you already couldn't use any US sites. DANE improves things compared to not, since it means you don't have to trust the US government if you're not using US sites, you don't have to trust the Chinese government if you're not using Chinese sites, you don't have to trust the government of Kazakhstan if you're not using Kazakh sites...

I am a dutch citizen and have a .nl domain. Yet, that does not mean I am ok with the dutch government issuing invalid certificates for my website.

True, it's an improvement that only the dutch government can do this, and not the Hong Kong post office. On the other hand, it is a major downside that we are encoding the possibility of government dragnet surveillance.

In the end, certificate transparency logs will let me notice whenever anyone issues a certificate for my website.

> it is a major downside that we are encoding the possibility of government dragnet surveillance.

Quite the opposite; DANE makes it possible to have a TLD that opts out of giving national governments access to it. Most existing TLDs are controlled by governments, but that doesn't have to be how it is.

I don't understand this US government nonsense and why it continues to persist. Will someone please explain to me like I'm 5 why you are trusting the US government if you deploy DNSSEC? Where in the trust chain of the .com zone does the USG come into play?

The .com domain is controlled by the USG. If they want to serve a false DNS response, they can access the key used to sign the .com domain. That key can be used to sign a new key for the relevant domain, which can be used to sign the response.

That the .com domain is under USG controll follows from: "The domain was originally administered by the United States Department of Defense, but is today operated by Verisign, and remains under ultimate jurisdiction of U.S. law."[1] That said, since the control was transfered away from the DoD, the control is much less.

A similar argument still holds for country level TLDs. Any government that administers its own TLD can use that with DNSSEC to forge DNS responses.

[1] https://en.wikipedia.org/wiki/.com

Verisign is just a company located in the USA. Does it then follow that any company located in the USA is 'controlled by the USG'? That seems like a bit of a stretch, to say the least. There is nothing else there. Your reference to history is irrelevant today.

Also, I really don't understand what this has to do with DNSSEC? Without DNSSEC anyone can forge responses. With DNSSEC you limit that to the zone administrator.

> Without DNSSEC anyone can forge responses. With DNSSEC you limit that to the zone administrator.

Whilst that is an improvement, it is still bad. Specifically, I'd it is not good enough to build a secure system on. There is an argument to be made that it is nice for defense in depth, but it should not be stand-alone security.

There are other practical concerns regarding DNSSEC at the moment with failure handling.

> Verisign is just a company located in the USA. Does it then follow that any company located in the USA is 'controlled by the USG'?

Verisign doesn't own .com -- the US government does. Verisign operates .com on contract with the US Chamber of Commerce.