Comment by tptacek

7 hours ago

It seems pretty clear to me that the industry, and particularly the slice of the industry that operates large, important sites and staffs big security teams, doesn't believe this is a meaningful problem at all.

I agree with them.

15 comments

tptacek

Reply
thenewnewguy  7 hours ago

Would this article not be evidence the part of the industry that makes up the CA/B Forum (i.e. CAs and Browsers) disagree?

  • throwway120385  6 hours ago

    Yeah but CAs want to sell you certificates, and browsers compete on their support for those certificates.

    • ekr____  4 hours ago

      Huh? They really don't. It's actually kind of unfortunate that browsers don't have uniform policies about what certificates they accept, but for obvious reasons each browser wants to make their own decision.

  • tptacek  6 hours ago

    The fact that it's 2026 and the CAs are only now getting around to requiring any CA to take DNSSEC, which has in its current form been operational for well over a decade, makes you take DNSSEC more seriously?

    • alwillis  40 minutes ago

      LetsEncrypt has been checking for DNSSEC since they launched 10+ years ago.

             The ACME standard recommends ACME-based CAs use DNSSEC for validation, section 11.2 [1]:
       An ACME-based CA will often need to make DNS queries, e.g., to
       validate control of DNS names.  Because the security of such
       validations ultimately depends on the authenticity of DNS data, every
       possible precaution should be taken to secure DNS queries done by the
       CA.  Therefore, it is RECOMMENDED that ACME-based CAs make all DNS
       queries via DNSSEC-validating stub or recursive resolvers.  This
       provides additional protection to domains that choose to make use of
       DNSSEC.

       An ACME-based CA must only use a resolver if it trusts the resolver
       and every component of the network route by which it is accessed.
       Therefore, it is RECOMMENDED that ACME-based CAs operate their own
       DNSSEC-validating resolvers within their trusted network and use
       these resolvers both for CAA record lookups and all record lookups in
       furtherance of a challenge scheme (A, AAAA, TXT, etc.).

      [1]: https://datatracker.ietf.org/doc/html/rfc8555/#section-11.2

      1 reply →

    • thenewnewguy  6 hours ago

      Why dodge the question? Clearly they care today, and I live in today.

      If we're doing to defer to industry, does only the opinion of website operators matter, or do browsers and CAs matter too? Browsers and CAs tend to be pretty important and staff big security teams too.

      7 replies →

mindslight  4 hours ago

Big sites don't have the same concerns as individual end users, in this case specifically about centralized servers surveilling DNS queries.

DNSSEC zone signing lets one resolve records without having to directly go through trusted (ie centralizing) nameservers. (If you run your own recursive resolver this just changes the set of trusted servers to the zones' servers).

I've made this argument in the context of your poo-pooing DNSSEC before, and I don't expect you to be receptive to it this time. Rather I just really wish I could get around to writing code to demonstrate what I mean.