Comment by PunchyHamster

9 hours ago

> Because DNS' multilayered caching makes it notoriously impossible to operate safely or debug.

That is not a problem for certs, you are not changing it every second. And the "impossible to operate or debug" is just plain failse or incompetence

> Most large outages already originate in DNS issues; putting the crypto in that layer would redouble it.

That is also just not true. Also, outage of DNS coz someone fucked up configuration management somewhere is not caused by anything related to DNS, it just so happens DNS is essential so any problem is visible.

2 comments

PunchyHamster

lmm 7 hours ago

> That is not a problem for certs, you are not changing it every second.

The problem is when you screw it up and can't fix it for 24 hours or worse.

PunchyHamster 2 hours ago

Well then don't set validity for 24 hours.