It appears that Viktor Dukhovni <ietf@xxxxxxxx> said: >Ben's claim that CAs are "more secure" than DNSSEC is demonstrably >in error in a world where all that CAs do is issue DV certs that >attest to "domain control". More than that, the security of your DNS depends on the providers in the chain between you and the root, which is typically short, and over which you have a lot of control. If you have a valuable domain, you can use a high security registrar that applies controls to zone changes. With PKI, your security is only as good as the worst of all of the CAs in someones browser, nearly all of which have no relation to you and most of which you've never heard of. This is not a new argument and I doubt we're going to say anything new here. R's, John PS: I know about CAA, but if you believe it matters, that means CA security can be at best as good as DNS security.
