> - ECC sigs can be sent in a single packet.
It's 2026. If you're deploying a cryptosystem and not considering post-quantum in your analysis, you'd best have a damn good reason.
ECC signs might be small, but the world will be moving to ML-DSA-44 in the near future. That needs to be in your calculus.
Also, I worked for a DNS company. People stopped caring about ulta-low latency first connect times back in the 90s.
You are clearly very proud of your work devaluing DNSSEC. But pointing to lack of adoption doesn't make your arguments valid.
They did? That's certainly going to be news to the people at Google, Mozilla, Cloudflare, etc. who put enormous amounts of effort into building 0-RTT into TLS 1.3 and QUIC.
It seems to me that you're saying here that (1) the hyperscalers do care but (2) it's under control. I'm not necessarily arguing with (2) but as far as the hyperscalers go: (1) they drive a lot of traffic on their own (2) in many cases they care so their users don't have to.
Hyperscalers go to crazy lengths because they can measure monetary losses due to milliseconds of less view time and it's much easier when they have distributed cloud infrastructure anyway. But it's not really solving a problem for their customers. At least when I worked in DNS land ... latency micro-benchmarking was something of a joke. Like, sure, you can shave off a few tens of milliseconds, but it's super expensive. If you want to reduce latency, just up your TTL times and/or enable pre-fetching.
As a blocker for DNSSEC ... people made arguments about HTTPS overhead back in the day too. DoH also introduces latency, yet people aren't worried about that being a deal killer.
They did, and then we spent an enormous amount of time to shave off a few round trip times in TLS 1.3 and QUIC. So I'm not sure this is as strong an argument as you seem to think it is.
> DoH also introduces latency, yet people aren't worried about that being a deal killer.
Actually, it really depends. It can actually be faster. Here are Mozilla's numbers from when we first rolled out DoH. https://blog.mozilla.org/futurereleases/2019/04/02/dns-over-...
And here are some measurements from Hounsel et al. https://arxiv.org/abs/1907.08089
But if it's worth doing for HTTP, why not for DNS?
> Actually, it really depends. It can actually be faster. Here are Mozilla's numbers from when we first rolled out DoH.
Oh fun!
I'm sorry I don't understand your question.
From your link elsewhere, https://easydns.com/blog/2015/08/06/for-dnssec/
>We might see a day when HTTPS key pinning and the preload list is implemented across all major browsers, but we will never see these protections applied in a uniform fashion across all major runtime environments (Node.js, Java, .NET, etc.)[...]
Is this not the same flaw?
You really aren't going to respond to any of those points? You stand by your complaint DNSSEC being "government controlled PKI" when TLDs are a government controlled naming system? And your alternative is to advocate for privately owned PKI run by companies with no accountability that are also much more vulnerable to attack?
Campaigning against cryptographically signing DNS records is a weird life choice man.
If I've said something in this thread that you disagree with, say so and say why (you'll need something better than "I wrote about this 11 years ago and you weren't nice enough to me about it"). Right now, all you're doing is yelling about a post I wrote 11 years ago and haven't cited once on this thread.
Of course, as you know, I stand by that post. But it's not germane to the thread.
I'm upset that your incorrect arguments have gotten so much traction that the internet is a less safe place for it.
> wrote a post disagreeing with my post, and I didn't go back and revise my post to capture all the arguments you had that I disagreed with. Sorry, but not sorry.
You in a sibling thread:
> I feel pretty confident that the search bar refutes this claim you're making. What you're trying to argue is that I've avoided opportunities to argue about DNSSEC on HN. Seems... unlikely.
It seemed like you wanted to have this discussion but I guess not.
> yelling about a post I wrote 11 years ago and haven't cited once on this thread. ... Of course, as you know, I stand by that post. But it's not germane to the thread.
Do you know what comment thread you are in? I complained about FUD and cited your blogpost. This is what this thread is about.
I'm tickled a the idea that I get to take credit for its demise, though I don't think that's entirely fair. Either way: we're witnessing its agonal breathing. This is an easy call.
This you?