Post AoUjOLSl7StDNdialU by pixelcode@social.tchncs.de
 (DIR) More posts by pixelcode@social.tchncs.de
 (DIR) Post #AoUjOLSl7StDNdialU by pixelcode@social.tchncs.de
       2024-11-17T14:33:23Z
       
       0 likes, 1 repeats
       
       I don't fully understand #DNSSEC criticism yet: A major argument against it is that it's a “government-controlled PKI” and that, for example, “Gaddafi would have controlled bit.ly’s TLS keys if it had been deployed earlier”.But isn't that a strawman? If a bad actor controls DNSSEC, they control all the other #DNS records too, i.e. the government can always point domains wherever they like and obtain valid #TLS certificates. The Taliban closed down queer.af completely without DNSSEC.
       
 (DIR) Post #AoUjOOOyC0doUky6m8 by pixelcode@social.tchncs.de
       2024-11-17T14:40:15Z
       
       0 likes, 0 repeats
       
       #DNSSEC and #DANE should not replace the established #TLS certificate authority system, because it would undermine end-to-end encryption between client and server, but I do believe that DNSSEC/DANE serve a legitimate role: preventing #DNS spoofing by third parties, i.e. proving that a DNS record really comes from the correct name server.And in order to keep DNS requests private, DoH/DoT/DoQ should be the default.