Recent searches
Search options
I don't fully understand #DNSSEC criticism yet: A major argument against it is that it's a “government-controlled PKI” and that, for example, “Gaddafi would have controlled bit.ly’s TLS keys if it had been deployed earlier”.
But isn't that a strawman? If a bad actor controls DNSSEC, they control all the other #DNS records too, i.e. the government can always point domains wherever they like and obtain valid #TLS certificates. The Taliban closed down queer.af completely without DNSSEC.
@pixelcode I don't get it. How can the government control anything of the root CA is not under that government?
@pixelcode@social.tchncs.de@sr3 What I was trying to say is that, if a government controls a domain (because of its TLD, probably), they can create, modify and remove DNS records for that domain as they please (including, but not limited to, DNSSEC). That means they can point the domain to a gov't-controlled server which can then legitimately obtain a valid TLS certificate from any established CA.
Therefore, DNSSEC is not the root cause of the issue that is criticised, in my opinion. Correct me if I'm wrong, though.
@pixelcode ah, got it. Fully agree. Case and point .su (soviet union) shouldn't exist anymore but the Russia department responsible for that does not let it die.
Changing DNS technologies would not change any of that.
@pixelcode the only argument I've heard that I understand is the lack of visible for SOC, but that's only for organizations.
And even those could have a DNS server for requests from within the network and log these requests.