undefined

points

[-]

Really? You're not concerned that someone might do a very specific kind of on-path DNS cache corruption attack, in 4-5 places simultaneously around the world to defeat multipath lookups at CAs, in order to misissue a certificate for your domain, which they can then leverage in MITM attacks they're somehow able to launch to get random people to think they're looking at your website when they're looking at something else? And that risk doesn't outweigh the fairly strong likelihood that at some point after you enable DNSSEC something will happen to break that configuration and make your entire domain fall off the Internet for several days?

by zimpenfish3 hours ago|

parent|

[-]

> You're not concerned that someone might do ...

I mean, now you've brought it up, I am concerned about it - but the level of concern is somewhere between "spontaneous combustion of myself leading to exploitation of my domain DNS because my bugger-i-ded.txt instructions are rubbish" and "cosmic rays hitting all the exact right bits at the exact right time to bugger my DNS deployment when I next do one which won't be for a while because even one a year is a fast pace for me to change something."

(Plus I'm perfectly capable of taking my sites and domains offline by incompetent flubbery as it is; I don't need -more- ways to fuck things up.)

by Joel_Mckay15 minutes ago|

parent|

[-]

It is not like some cheeky kids would just DDoS the CA authority itself, or hammer bleed the host TLS library yet again.

There are also good reasons many serious admins don't trust signing authorities. If you know... you know why... =3

by baggy_trough5 hours ago|

parent|

prev|

[-]

> make your entire domain fall off the Internet for several days

Yes, exactly.