Hacker News new | past | comments | ask | show | jobs | submit login

By "no practical attack", you mean, "as long as you trust whichever government controls your TLD and whichever governments effectively control the global DNS root" --- which, for most of the hosts people on HN contact, means "as long as you trust the NSA".

DNSSEC is a disaster. Avoid it.


I hate to add "me too" replies, but it is important to get the message out there that lots of really smart folks consider DNSSEC an absolute failure of such epic proportions that you shouldn't even joke about building something real on top of it.

The only thing DNSSEC has given us is widespread DDoS amplification.

What better option is there?

Not using DNSSEC and not having false sense of security. No sense of security is better than a false one.

DNSSec is useless if TLS was implemented in the ideal way. But, unfortunately, TLS is far from ideal.

The author states "For something as harebrained as the CA system, remarkably few criminal breaches trace back to it -- There have been many false CAs, and certificates issues. We have no idea what they've been used for (http://arstechnica.com/security/2015/03/google-warns-of-unau...). In addition to this, there exist many CAs whose primary purpose is to perform MITM-style attacks

The author's points about DNSSec being expensive - somewhat, but more an more providers are offering DNSSec at the same price as normal DNS. Fedora is even enabling it on all their end hosts.

As far as the "Government controlled PKI": 1. What's better? Some security, or no security? 2. If the government wanted to crack DNSSec, there still exists the fact that we can share KSKs out of band for verification.

DNSSec is capable of providing better security than the current system. It does have some implementation gaps, but what do you propose alternatively?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact