#DNSSEC is easy if you outsource it (e.g. @cloudflare), but if you try to do it entirely yourself it's non trivial to do correctly (e.g. key management, backups, etc.). What do you do when a domain has a single technical admin?
-
-
Replying to @kurtseifried @letoams and
All that key management and backup shit comes out of thinking you need to do all this key management and backup shit. You don't. It's just bad initial assumptions.
2 replies 0 retweets 4 likes -
Replying to @dakami @kurtseifried and
ZSK roll is as automated as ACME. KSK roll isn’t something you need to do, maybe once every 5 year. But not rocket science either
1 reply 0 retweets 0 likes -
Did they actually manage to roll over the root KSK yet? Or are they still figuring out how after postponing half a year ago?
3 replies 0 retweets 4 likes -
Because LE certificates are rolled over every couple days, everywhere; if you don’t, your cert stops working.
1 reply 0 retweets 2 likes -
Root KSK == Whatever browsers are shipping in their root stores. You go down the rabbit hole, you end up seeing the same gunk
2 replies 0 retweets 3 likes -
It's a lot easier to change keys that browsers will see, because...oh will you look at the *giant pile of centralization that is browser updates*. And the rebuttal is, DNS servers might be packaged managed too by Redhat/Ubuntu etc. More centralization.
3 replies 0 retweets 0 likes -
And the rebuttal there is, yeah but browser management centralization actually works better. And you realize you're in an argument about whose centralization eliminates more administrative cost. Which is the right argument.
1 reply 0 retweets 0 likes -
You understand that you are building an argument against DNSSEC here right?
1 reply 0 retweets 0 likes -
I want things that work. If we can use LE to get things that work, and people don't mind that it's hilariously more centralized than DNSSEC was ever going to be, because EFF? Whatever. Make things work.
1 reply 0 retweets 0 likes
Guys, guys, guys. There's really no need to argue over how centralized DNSSEC is when DNSSEC still doesn't do anything useful like protect users from spoofing, blocking, or spying anyhow.
-
-
But then we'd have to discuss how well the Apple App Store model actually works.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.