On Tue 12/Mar/2024 17:24:08 +0100 David Conrad wrote:
On Mar 12, 2024, at 1:57 AM, Alessandro Vesely <vesely@tana.it> wrote:
DNSSEC everywhere would make more sense than HTTPS everywhere, which instead won the hype.
I figure enabling DNSSEC validation everywhere and signing what makes sense after doing a cost/benefit trade off would be the rational way to go. As signing technologies get more mature, the cost goes down and even the marginal benefit of signing everything would be justified.
Right, and I'd guess the number of operators involved in switching to DNSSEC is less than that for HTTPS.
Being sure to connect to the IP designated by the domain is essential, while encrypting every page of sites like, say, wikipedia is just wasting cycles.
As Randy points out, TLS also gives you authentication (as long as you trust the myriad CAs) and with more granularity than the IP address.
Right, and let's note that the chain of trust is hierarchical for DNSSEC, which makes for a clear cut PKI. HTTPS certificate are based on browser/ system/ distro/ user policy choices, a rather hazy infrastructure.
On wasting cycles, if you only encrypt the sensitive stuff, you give away the fact that you’re communicating sensitive stuff when you encrypt.
However, I suspect this isn’t particularly in the charter of this mailing list…
Well, the OP topic is DNSSEC and _Resource_ Public Key Infrastructure (RPKI), which is similar in principle to the domain based hierarchy of DNSSEC. Best Ale --