Comment by drpossum

6 months ago

You should always be aware of political risks when buying a ccTLD. There's precedent that these have caused serious issues for domain holders, one notable example

https://www.theverge.com/2024/2/12/24071036/queer-af-mastodo...

3 comments

drpossum

Avamander 6 months ago

Outages and poor management are one possibility. Other is the fact that you have to trust the country running the ccTLD with DNSSEC keys. This might rule out things like using TLSA/DANE or SSHFP records.

EE84M3i 6 months ago
I think more relevantly than DNSSEC, couldn't they issue TLS certificates using DNS-01 validation? You have to trust your DNS registry.
- Avamander 6 months ago
  
  They could, but WebPKI things get logged, doing split-horizon DNS for your victims doesn't.