I’ve read the previous discussions…
But they did not seem to come to any final conclusion nor reasoning.
So, is there a reason why LetsEncrypt.org is not using DNSSEC?
No DNS CAA either…
2 Likes
OMG, they’re using a self-signed certificate too! 
5 Likes
I thought this question was odd the first time I read it.
What has LetsEncryot got to do with DNSSEC?
DNSSEC is a function of the DNS service.
First you create your DNSSEC keys then you add them to the subdomains zone file as a TXT records.
Then of course you add the public DNSSEC keys to the registry via your registrar.
This has nothing to do with LetsEncrypt unless you know something about DNSSEC that I don’t.
@ITI, I think @rg305 wishes that Let’s Encrypt would sign its own domain letsencrypt.org with DNSSEC, not that Let’s Encrypt would somehow offer DNSSEC services to other people.
1 Like
The key word being "using" - not providing.
1 Like
Well that makes a lot more sense.
Thanks guys.
So why aren't they !
if you do a quick whois, you'll see the domain is registered through enom.
if you look up dnssec+enom, enom doesn't support dnssec administering by automated means. it must be manually handled via support tickets.
for a lot of companies and people, that is a dealbreaker. if you need to adjust dns infrastructure to deal with an outage, migration or other concern, you become blocked by a bottleneck in not being able to fully administer the dns records yourself and have a guaranteed downtime.
the ISRG staff may have other reasons, but that is the most common one I know of. migrating registrars and dns systems is also often a pain in a corporate setting for many reasons.
1 Like
Even if they did sign letsencrypt.org, most of the services reference unsigned external domains. It would have limited impact.
letsencrypt.org. (unsigned) 3600 MX 1 aspmx.l.google.com.
letsencrypt.org. (unsigned) 3600 MX 5 alt1.aspmx.l.google.com.
letsencrypt.org. (unsigned) 3600 MX 5 alt2.aspmx.l.google.com.
letsencrypt.org. (unsigned) 3600 MX 10 aspmx2.googlemail.com.
letsencrypt.org. (unsigned) 3600 MX 10 aspmx3.googlemail.com.
acme-v02.api.letsencrypt.org. (unsigned) 7200 CNAME api.letsencrypt.org-ng.edgekey.net.
api.letsencrypt.org-ng.edgekey.net. (unsigned) 18211 CNAME e14990.dscx.akamaiedge.net.
e14990.dscx.akamaiedge.net. (unsigned) 20 A 104.92.3.37
e14990.dscx.akamaiedge.net. (unsigned) 20 AAAA 2600:1402:a:184::3a8e
e14990.dscx.akamaiedge.net. (unsigned) 20 AAAA 2600:1402:a:186::3a8e
community.letsencrypt.org. (unsigned) 7200 CNAME hosted-vh2.discourse.org.
hosted-vh2.discourse.org. (unsigned) 120 A 64.71.168.201
hosted-vh2.discourse.org. (unsigned) 120 AAAA 2001:470:1:3a8::201
ocsp.int-x3.letsencrypt.org. (unsigned) 332 CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. (unsigned) 3332 CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net. (unsigned) 20 A 23.219.162.168
a771.dscq.akamai.net. (unsigned) 20 A 23.219.162.170
a771.dscq.akamai.net. (unsigned) 20 AAAA 2600:1402:a::b81a:8e33
a771.dscq.akamai.net. (unsigned) 20 AAAA 2600:1402:a::b81a:8e58
3 Likes
That amounts to "Well, since no one else is doing it... Why should I? What difference would it make?"
We should all be the first one that does; and set the example for the rest to follow.
2 Likes
That’s not quite what @mnordhoff was saying.
If http://letsencrypt.org redirected to https://letsencrypt.org but then to http://www.letsencrypt.org that wouldn’t be very useful, would it?
Providing a CNAME from a signed zone to an unsigned zone is the DNSSEC equivalent of redirecting HTTPS to HTTP. It doesn’t buy you a whole lot of security.
1 Like
That is very true.
But now that is sounding a lot like what I was inferring...
Why should I sign my zone if no one else is?
And the answer to that is...
In short, don't worry (nor follow) what anyone else or everyone else is doing.
Just do what you know to be right.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.