> > > > with dane, i trust whoever runs dns for citibank to identify the cert > > > > for citibank. this seems much more reasonable than other approaches, > > > > though i admit to not having dived deeply into them all. > > > If the root DNS keys were compromised in an all DNS rooted world... > > > unhappiness would ensue in great volume.
Compromise of DNSSEC == compromise of one or more DNS registries. This is a fate sharing situation. A few single points of failure rather than hundreds. Note that a big weak point in the DNS is the interface between the registrars and the registry. If you have a domain you have to trust the registry to impose suitable restrictions on its registrars to prevent a dodgy registrar from stealing your domain. Another, of course, is the interface between a registrar and its customers. > It also drives up complexity too and makes you wonder what the added > value of those cert vendors is for the money you're forking over. During rollout the cert vendors will be providing backwards compatibility. > Especially when you consider the criticality of dns naming for everything > except web site host names using tls. If a website using TLS loses its DNS then (a) you can't reach it, and (b) the attacker can trivially obtain a new domain validated certificate. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Fisher, German Bight, Humber, Thames, Dover: Southwest 7 to severe gale 9. Rough or very rough, becoming high in Fisher. Showers. Moderate or good.
