|
|
Subscribe / Log in / New account

RFC 9498: The GNU Name System

RFC 9498: The GNU Name System

Posted Nov 30, 2023 8:11 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
In reply to: RFC 9498: The GNU Name System by NYKevin
Parent article: RFC 9498: The GNU Name System

> You can't hard-fail on that DNS query

I mean, you can. And with DoH/DoT it's pretty easy to do the query to work around broken ISPs.

Browsers also have a "bully pulpit" they can start with just silently ignoring DNSKEY query failures, then a couple years later start showing a banner like "your ISP is tampering with your DNS", then put the DNSKEY-failed connections behind the usual scary "certificate might be invalid" dialog.

> Such warnings do more harm in aggregate (by training users to ignore them) than the extremely limited number of MitM attacks you would realistically prevent.

The same statement could be made about deprecating HTTP.

Especially since it has caused half of the Internet to depend on one _service_ (Let's Encrypt). Its failure will basically cause an Internet-wide blackout, all to prevent occasional malicious MITM.

DANE will eventually allow to break this dependency.

to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds