Why has DNS-01 to be such complicated?

_az · August 11, 2019, 10:44pm

With DANE, your browser trusts the certificates that your signed TLSA record specifies. Meaning all your trust is in ICANN to not misuse the root KSK. At least today with CAs, we have 4 major root programs and one of them (Mozilla) is completely managed in the open. But seeing as how no browsers implement DANE and DNSSEC deployment is pitiful, it is a moot point for now.

FWIW the ACME WG really did not like the “static CNAME” idea (like what ACM implements) when it was posted to the mailing list. Most members seem to believe that it is an “end run” of validation practices. But I’m still unconvinced that a single CNAME indirection on its own is enabling Amazon to do what they do.

Bachsau · August 11, 2019, 10:50pm

But that is already the case as long as we use public DNS at all, so it is not more of a problem than it has been forever, and ICANN can do nothing without the world getting aware of it.

_az · August 11, 2019, 10:57pm

Yeah, you’re totally right, my feelings about DNS overall bleeding through .

Bachsau · August 11, 2019, 11:00pm

At least there is nothing completely secure, something can only be more secure. Someone could drop some nuclear bombs and we’ll be all dead.

system · September 10, 2019, 11:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.