Hacker News new | past | comments | ask | show | jobs | submit login

But why do you want it? DNSSEC and TLS cover much of the same use cases - except DNSSEC is worse. IIRC, it uses 1024bit RSA keys - which are large, and yet not particularly strong. It gives you very little flexibility - if you own example.com, you have to trust the root key and Verisign and whatever governments have authority over them and the only way out is to change to a different domain name. And what seemed like the most interesting technology enabled by DNSSEC (DANE) has no browser uptake (for good reason).



Until rather recently, the root DNSSEC keys were RSA-1024, but the roots are now RSA-2048 (which is fine). But the rest of the DNSSEC PKI is positively littered with RSA-1024 keys (for instance: there's one in .COM).


If your attack model includes Verisign or a government modifying your DNS zone, then that will allow them to obtain a DV certificate as well.

By and large, TLS security depends on the connectness of DNS. Though you could try your luck with HTTP public key pinning (HPKP).

I fully agree that 1024 bit keys are silly.


HPKP is about to only be usable on Firefox since IE/Edge never supported it and Chrome has deprecated and is about to remove it.


I want it because above my pay grade has decided, for "reasons" they want it. These reasons, that I may or may not agree with, are valid and reasonable. It's my role to implement. We have loads of other services in AWS but because of our DNSSEC requirement we can't use that one. It's a minor technical headache the Ops team has to deal with -- 99% in AWS except this other critical piece.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: