I'm pretty sure the SCT requirement contained the blast radius of this compromise to avoid anyone from actually being affected by it, so your comment doesn't really follow here.

Also, DANE relies on DNSSEC [1], which is bad.

https://sockpuppet.org/blog/2015/01/15/against-dnssec

Agree with you, it's entirely incorrect that a CT log operator "defines the security of the entire CA system". They can't issue certs and their output is already regarded with suspicion by default.

> I'm pretty sure the SCT requirement contained the blast radius of this compromise to avoid anyone from actually being affected by it, so your comment doesn't really follow here.

I think this would be true except my statement wasn't just about SCT but the CA system in general. Furthermore, browsers like Firefox [1] do not even have CT checks.

> Also, DANE relies on DNSSEC [1], which is bad.

Handshake completes this system [2].

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1281469

[1a] https://developer.mozilla.org/en-US/docs/Web/Security/Certif...

[2] https://github.com/handshake-org/hdns

Despite being supported, relying on browsers checking CT logs was never something that what going to be deployed at scale because, just like revocation lists, it adds a performance hurdle to every request.

Auditors and monitors are the real protection you get from CT logs.

You get the same problem with any form of DNS validation because you'll never get every little caching server to validate records.

Just so everyone's clear about this, Handshake is a system backed by a cryptocurrency, "HNS", that is actively traded despite being useful only to speculators. Its backers believe that they'll take over control of the Internet and be rewarded financially for it through their currency.

If that works, I call ARPcoin next.

Ah hello 2015, my old friend.

DNSSEC is a Government-Controlled PKI -> Not if the root of trust is secured by a proof-of-work blockchain

DNSSEC is Cryptographically Weak -> Not if zone operators upgrade to ECDSA as defined for DNSSEC in https://tools.ietf.org/html/rfc6605

DNSSEC is Unsafe -> NSEC3 is mentioned by the article itself

DNSSEC is Expensive To Deploy -> We can make tools for this, so much has gotten easier already

DNSSEC is Incomplete -> Agreed, we need browser adoption

> Not if the root of trust is secured by a proof-of-work blockchain

https://tonyarcieri.com/on-the-dangers-of-a-blockchain-monoc...

https://paragonie.com/blog/2017/07/chronicle-will-make-you-q...

> Not if zone operators upgrade to ECDSA as defined for DNSSEC in https://tools.ietf.org/html/rfc6605

First: That's a big "if". Lots of RSA legacy support.

Furthermore, ECDSA is so bad that Ed25519 and Ed448 are even coming to FIPS 186-5 later this year.

Citing ECDSA adoption in DNSSEC doesn't make as strong of a case as you might think.

For context, some statistics:

"Currently [2018], in more than 90% of cases if a user passes DNS queries to a resolver that performs DNSSEC validation of an RSA digital signature the same resolver will also perform DNSSEC validation of ECDSA P-256 digital signatures."

https://blog.apnic.net/2018/08/23/measuring-ecdsa-in-dnssec-...

"Since the second quarter of 2019 [to the first quarter of 2020], the population of [strict DNSSEC] validating users has risen from 12% to 22%, close to doubling. At the same time, the proportion of [non-strict DNSSEC validating] users has risen from 5% to 10%."

https://blog.apnic.net/2020/03/02/dnssec-validation-revisite...

A better argument against the preposterous claim that DNSSEC is "government-controlled" (and one that doesn't rely on blockchains, which are controversial in their own right), is that with DNSSEC you can choose which government (i.e. ccTLD) your domain is under, or choose one of the many generic TLDs.

The web PKI, by contrast, requires users to trust a bunch of CAs, any one of which could have been compromised by a government and can issue a certificate for your domain. Also, if a government can compromise your DNS records, they can also be granted domain-validated certificates for those domains, so the web PKI is not an improvement.

Anyway, if your threat model is that every single country in the world is willing to subvert the security of their own DNS hierarchy specifically to attack you, then the limitations of DNSSEC are the least of your worries.

With DNSSEC, when it becomes instantly clear that the United States Government controls .COM, Google can simply leave .COM, and tell every Google user in the United States never to use the tainted GOOGLE.COM domain, and all the users will stop using .COM and start using the new Google domain name, because that is how things work in the real world.

Yeah, imagine the hours of productivity that will be lost as people in the US update their link to Google in their IE6 "Favorites" list, because that's how things work in the real world.

In contrast, when it becomes clear that the United States Government controls multiple certificate authorities, that won't be a problem for any websites.

With the CT system I can monitor the CA's issuance, with DNSSEC I can't retroactively monitor if someone has changed the DANE keys and intercepted traffic.

True, DNSSEC Transparency is not as developed a technology as Certificate Transparency. There has been experimental deployment of such a system[0] but to give higher assurance there is a small addition to the DNS data that needs to be adopted first[1], which is still going through the IETF process.

[0] https://twitter.com/ln4711/status/754516056878772224

[1] https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-deleg...

Certificate Transparency, by contrast, exists.

Yeah, because Web PKI existed, DNSSEC has yet to gather any meaningful good deployment. It's not hard to throw away something that doesn't exist :P

How would you monitor that your DNS provider hasn't changed your DANE records and intercepted traffic?