Hacker News new | past | comments | ask | show | jobs | submit login

You may disagree, but there are other reasons not to rely on DNSSEC besides "mortal men not being capable of understanding it": https://sockpuppet.org/blog/2015/01/15/against-dnssec/

HTTPS does seem like overkill, but on the other hand, it's likely already running (even I, who host my own mail, have an HTTP daemon on the same server), so in the common case, it doesn't increase the attack surface.

The blog you quote is from 2015. Let's look at some recent numbers on DNSSEC/DANE deployment.


These graphs don't address any of the points. Even worse, those numbers don't say anything about how many DNS requests are actually verified... A good guess is that those crypto keys sit idle.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact