Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Tony Finch dot at dotat.at
Mon Sep 12 21:37:18 UTC 2011

Mike Jones <mike at mikejones.in> wrote:
> DNSSEC deployment is advanced enough now to do that automatically at the
> client.

Sadly not quite. DNSSEC does have the potential to provide an alternative
public key infrastructure, and I'm keen to see that happen. But although
it works well between authoritative servers and recursive resolvers, there
are a lot of shitty DNS forwardersin CPE and captive portals and so on
which do not understand DNSSEC. And DNSSEC does not work unless all the
forwarders and recursors that you are using support it. So DNSSEC on the
client has a long way to go.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Hebrides, Southeast Bailey: Westerly 5 to 7 until later in south Hebrides,
otherwise northwesterly 3 or 4, increasing 5 to 7. Rough or very rough,
occasionally high in south Hebrides. Rain or showers. Good, occasionally

More information about the NANOG mailing list