
Why you must learn to love DNSSEC - lvh
http://www.circleid.com/posts/20180619_why_you_must_learn_to_love_dnssec/
======
lvh
FWIW: submission is not endorsement. I think there are tons of flaws in this
argument.

For example, they mention TLSA would have prevented this. TLSA would not have
prevented this. Not only did the attackers not succeed in acquiring a TLS
certificate (every DV CA knows about partial BGP hijacks), no browsers
actually implement TLSA or have indicated an interest in TLSA.

I don't know if the article refers to TLSA as "pinning" because they don't
understand what TLSA is or because they're trying to obscure it, but "pinning"
does not generally mean "replacing your issuance system and trust root
wholesale with an obscure system controlled by whatever organization controls
your TLD".

