|
|
Subscribe / Log in / New account

A QUIC look at HTTP/3

A QUIC look at HTTP/3

Posted Mar 19, 2020 4:11 UTC (Thu) by flussence (guest, #85566)
In reply to: A QUIC look at HTTP/3 by josh
Parent article: A QUIC look at HTTP/3

After a few minutes thinking about it, it doesn't sound *conceptually* impossible. But it's practically impossible because of the logistics and current architecture. DNS is extremely high-volume, combined with a much higher rate of churn than certificates, and geared for small writes with limited side effects.

Asking any one of the dynamic DNS providers on the net to publish transparency records (or even basic DNSSEC ones for that matter) when they're hosting over a million subdomains isn't going to fly any time soon. Sometimes a 30 second TTL is a legitimate use case.

to post comments

A QUIC look at HTTP/3

Posted Mar 19, 2020 19:11 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

I would guess that you can set up a CT-like system for the DNSSEC public keys for domains. Something like: "*.somedomain.com -> pubkey".

This way if CIA comes a-knocking to the DNS registrar to impersonate "joe.somedomain.com", they would have to publish a new record with CIA's pubkey.

DNSSEC keys don't change very often, so the rate of change would be manageable.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds