Absolutely! 1/ DNSSEC does *nothing* between your Browser/computer and your resolver. But that's the weakest link! 2/ For other links, junk crypto like RSA-512 with SHA1 is still common. I can break that on my watch.
DNSSEC doesn't actually work. That's not hyperbolic, it really doesn't work. It does cause outages, again, not hyperbole. Please don't mislead users otherwise, it's not responsible. Again: Don't use it.
-
-
It sure works for me, that's a fact. Ditto for many other domains. It allows me to publish TLSA records in a downgrade-resistant manner to the rest of the world. It clearly does not work for you, but let's not get religious about it.
-
Nope. It doesn't work, that's the truth. Once again: It doesn't protect the weakest link in the chain at all, and where it tries to, it gets the crypto wrong to the point that it's not secure. It also causes outages. None of this is a matter of opinion. There's not two sides.
- 16 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.