Comment by lmm

7 hours ago

> I don't think any CA hasn't had an issue with revocation at some point (e.g. Let's Encrypt had a major one in 2021, and refused to revoke)

Every software org has had issues with every piece of functionality, revocation isn't special.

> modern bind9 seems to just handle DNSSEC with no issues when I've used it

The happy path works. Everything is fine until it isn't. Very few people are confident enough to fully deploy it.

1 comment

lmm

Reply
aragilar  7 hours ago

According to https://stats.labs.apnic.net/dnssec DNSSEC is sitting about 1/3, so "very few" isn't accurate. I'm not suggesting browsers should change what they do, but if WebPKI can't be used, building a new CA ecosystem would seem to be to be at least as hard as getting DANE working.