Note that DNSSEC *is* a PKI, but it's fantastically better than a WebPKI because... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		cryptonector 8 months ago \| parent \| context \| favorite \| on: How to distrust a CA without any certificate error... Note that DNSSEC is a PKI, but it's fantastically better than a WebPKI because a) you get a single root CA, b) you can run your own private root CA (by running your own `.`), c) if clients did QName miniminzation then the CAs wouldn't easily know when it's interesting to try to MITM you. Oh, and DNS has name constraints naturally built-in while PKIX only has them as an extension that no one implements. The only real downsides are that DNSSEC doesn't have CT yet (that'd be nice), this adds latency, and larger DNS messages can be annoying.

tptacek 8 months ago [–]

The single root CA makes it fantastically worse, not better. DNSSEC will never get CT, because no entity in the world has the leverage to make that happen. The whole point of CT is that no WebPKI entity can opt out of it.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact