undefined

points

[-]

DNS is barely centralized. Is there an alternative global name lookup system that is less centralized without even worse downsides?

by account421 hours ago|

parent|

[-]

GP said it was a risk (and it is), not that there are better alternatives. Not all risks can be eliminated easily but you should still be aware of them.

by fc417fc8029 hours ago|

parent|

prev|

[-]

GNS is the obvious response here, in addition to the various blockchain based solutions. Nothing that enjoys widespread support or mindshare unfortunately.

Even the current centralized ICANN flavor could be substantially more resilient if it instead handed out key fingerprints and semi-permanent addresses when queried. That way it would only ever need to be used as a fallback when the previously queried information failed to resolve.

by pocksuppet12 hours ago|

parent|

prev|

[-]

BGP, but the names in question are limited to 128 bits, of which at most 48 will be looked up, and you don't get to choose which 48 bits are assigned to you.

by greatgib13 hours ago|

prev|

[-]

Normally it should not have been, with cache and all, but that was the past...

Think about what would happen the day that letsencrypt is borken for whatever reason technical or like having a retarded US leader and being located in the wrong country. Taken into account the push of letsencrypt with major web browsers to restrict certificate validities for short periods like only a few days...

by muvlon12 hours ago|

parent|

[-]

Let's Encrypt has to be down for days before people begin to feel the pain. DNS is very different, it breaks stuff immediately everywhere.

by tharkun__12 hours ago|

parent|

[-]

No it doesn't. DNS breaks as soon as TTLs run out. It's your choice to set them so low that stuff breaks immediately.

by account421 hours ago|

parent|

[-]

Unfortunately you can't set DNS TTL arbitrarily high (or low) without some resolvers ignoring your suggestion and using arbitrary values.

by Arnt1 hours ago|

parent|

[-]

Most historical outages lasted minutes or hours. One arguably lasted much longer, when someone lost control of their servers due to civil war.

I haven't followed this closely, but have there been any... shall we say plain outages longer than six hours? That's not an outrageous TTL. Or a day.

by __float8 hours ago|

parent|

prev|

[-]

What do you recommend then? DNS doesn't usually change that often, but if you mess it up when it does, you're in for some pain if TTLs are high!

by htgb7 hours ago|

parent|

[-]

Not the one you're replying to, but I'd keep TTL high normally and lower it one TTL ahead of a planned change.

by kenniskrag3 hours ago|

parent|

[-]

I would define high as "double time needed to fix a dns issue" and account for weekends

by stouset5 hours ago|

parent|

prev|

[-]

This is the way.

by ale423 hours ago|

parent|

prev|

[-]

This assumes that the host name you want has been recently queried. If it's not cached, good luck...

by cyberax13 hours ago|

prev|

[-]

Not really? .com and .net are still up

If Let's Encrypt goes down, half of the Internet will become inaccessible in a week.

by akerl_12 hours ago|

parent|

[-]

Presumably if LetsEncrypt goes down and stays down for a week, the sites that go down are the ones that see that their CA went down and at no point in the week take the option to get certs from a different CA?

by bluejekyll11 hours ago|

parent|

[-]

I guarantee that there are a ton of sites out there not monitoring their certs.

by throw0101c36 minutes ago|

parent|

[-]

Including Microsoft, Starlink, Github, Cisco:

* https://www.keyfactor.com/blog/2023s-biggest-certificate-out...

by gpvos3 hours ago|

parent|

prev|