Big five tech giants aren't playing, and I don't know any bank domains, but it's not hard to find names:
cloudflare.com
verisign.com
comcast.net
*.gov
Every time dnssec shows up there's a tptacek comment crapping on the medium. are you using google alerts or something? what were your consulting fees for this service?
This comment breaks the site guidelines and your one downthread is even worse. You can't attack another user like that on HN, and we ban accounts that do it. Please review https://news.ycombinator.com/newsguidelines.html and follow the rules when posting here, regardless of how wrong you think someone is about something.
For example Thomas likes Let's Encrypt but he's stuck with his narrative about how nothing uses DNSSEC. So when you point out that Let's Encrypt uses DNSSEC so this position makes no sense, Thomas will just pretend not to understand and refer you back to stuff he wrote many years ago about how nothing uses DNSSEC.
LetsEncrypt does not rely on DNSSEC and does multi-perspective DNS lookups. Something significantly south of 0.5% of LetsEncrypt certificates ever involve DNSSEC.
If DNSSEC vanished tomorrow, literally nothing about LetsEncrypt would change. There would be no operational impact whatsoever.
Not that there's anything wrong with the pieces I wrote "years ago" about DNSSEC (nothing material has changed about it since I wrote that), but I didn't do that here: I provided new evidence that nobody is using DNSSEC, and it is up-to-the-minute. Practically no mainstream sites use DNSSEC, as everyone can see for themselves at the link at the root of this thread.
Those "multi-perspective" validations have been stalled for over a year. The last news is from August 2017. Unlike many issuers Let's Encrypt notoriously does fresh validations for most issuances and they start with a DNSSEC validated authoritative DNS query chain. So, that's 100% of validations, and perhaps 95% of all issuances. Not 0.5% as you've claimed.
When you wrote your jolly screed against DNSSEC the biggest CAs relied heavily on "Any other method" blanket exemptions which no longer exist today. They also used to insist that their extremely high issuance rates made DNSSEC and other security features just infeasible.
After CT this last part got awkward. Where, a neutral party like me might ask, are the doubtless hundreds of millions of certificates you've been issuing that would make this so hard? And of course they don't exist, it was a bluff and now their bluff has been called.
An infinitesimal fraction of the domains LetsEncrypt issues certificates for are signed. I kind of don't understand how you're even trying to make this argument. Everyone here who has ever set up LetsEncrypt knows there's no DNSSEC involved. LetsEncrypt does not depend on DNSSEC; if DNSSEC vanished tomorrow, there would be no operational impact.
Here, try this: search for "LetsEncrypt tutorial", go through the first two search pages, and find one that says "to start with, sign your domain with DNSSEC". Not one in my search results mentions DNSSEC. That's because: nobody cares.
DNSSEC not protecting those who choose not to be protected is entirely to be expected.
Should I assume you figured "nobody cares" about the Web PKI back just a few years when tutorials wouldn't have mentioned TLS? Were people who said that right? Or wrong?
I'm sorry, I can't understand what you're trying to argue at this point. My argument is simply that LetsEncrypt doesn't depend on DNSSEC, and, indeed, it does not.
Me describing how these conversations go:
> Thomas will just pretend not to understand
Thomas just now:
> I'm sorry, I can't understand what you're trying to argue
Let's Encrypt does today depend on DNSSEC because it uses a DNSSEC verifying validator. If you have chosen not to sign names of course your names aren't protected by this, names which are signed are protected.
In a similar way, Firefox does today depend on the Web PKI because it uses NSS, a TLS implementation with a certificate validator baked into it. If you have chosen not to use HTTPS of course your sites aren't protected by this, sites which use HTTPS are protected.
You're simply using a different definition of "depend" than I am.
When you say "it does depend", you mean that in the rare cases where a domain owner has chosen (weirdly) to sign with DNSSEC, LetsEncrypt will enforce DNSSEC validation on that domain.
When I say "it does not depend", I mean that the basic functioning of LetsEncrypt does not in any way rely on DNSSEC. As I've said in the last several comments, LetsEncrypt will continue to function just fine when DNSSEC goes away, and a security failure in DNSSEC (for instance: if the root keys were posted to Pastebin) would literally not impact LetsEncrypt --- today's LetsEncrypt! --- at all.
I'm fine with you using the word "depend" to mean "uses, in any situation, ever", but you're clear now on what we're trying to say, and the semantic part of the debate should be over.
Cloudflare and Verisign are no surprise; Cloudflare has a DNSSEC product, and Verisign is effectively one of the sponsors of the protocol. For what it's worth: Akamai does DNSSEC, too.
Comcast is indeed DNSSEC-signed (how you know Comcast does DNSSEC is, as I said, they sort of infamously broke an HBO product launch with it). But, for instance: Verizon and AT&T are not!
I don't know if it's "ad-hominem", but it's specifically called out by the guidelines as something you're not allowed to do here. I'd appreciate an apology.
cloudflare.com verisign.com comcast.net *.gov
Every time dnssec shows up there's a tptacek comment crapping on the medium. are you using google alerts or something? what were your consulting fees for this service?