Comment by Avamander
7 months ago
Outages and poor management are one possibility. Other is the fact that you have to trust the country running the ccTLD with DNSSEC keys. This might rule out things like using TLSA/DANE or SSHFP records.
7 months ago
Outages and poor management are one possibility. Other is the fact that you have to trust the country running the ccTLD with DNSSEC keys. This might rule out things like using TLSA/DANE or SSHFP records.
I think more relevantly than DNSSEC, couldn't they issue TLS certificates using DNS-01 validation? You have to trust your DNS registry.
They could, but WebPKI things get logged, doing split-horizon DNS for your victims doesn't.