> probably because the people who originally designed DNSSEC (and DNS) couldn't ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		crote 4 days ago \| parent \| context \| favorite \| on: RFC 6677 DNS Transport over TCP – Implementation R... > probably because the people who originally designed DNSSEC (and DNS) couldn't believe that people would be crazy enough to try to keep their DNS records secret I wonder if it's time to just retire this mechanism. In 2025 you'd have to be crazy to not use encryption with an internet-facing host, which in practice usually means TLS, which means your hostname is already logged in Certificate Transparency logs and trivially enumerated.

toast0 4 days ago [–]

You can work with wildcard certs and your hostnames need not be enumerated.

Hizonner 4 days ago | [–]

How is giving every internal host a wildcard cert not a cure far worse than the disease in 99 percent of the cases?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact