On Mon, Aug 12, 2024 at 06:42:02PM -0400, Nick Lockheart wrote:
> I think the issue with DANE (for websites) is that it relies on DNSSEC,
> which unfortunately, turns into a debate over "who gets to own the keys
> to the entire Internet".
Naturally the root zone, its operators (lots of anycast nodes all over
the world, and many "localroot" deployments) would need to be able to
somehow lie about the (non-)delegation of a name under some TLD, or
about DS RRs of some TLD, and somehow get away with it, or be wiling
to lose their stewardship by going out guns blazing, for some dubious
goal.
Otherwise, the root zone will continue its boring job of publishing the
expected DS RRs for the usual TLDs, which in turn publish DS RRs for
their delegations, ... which lines up precisely with the authority to
delegate domains in the first place.
> I am certainly interested in brainstorming ways to validate a TLS
> certificate *without* the need for DNSSEC.
This feels misguided. If you want certificates for *domain names*, you
naturally align with the DNS delegation hierarchy, which can only
meaningfully be protected via something like DNSSEC.
If you want a "permissionless" system, you're looking at either
something like blockchain naming, or perhaps PHB's proposed callsign
registry, but the moment those names are intended to align with
real-world trademarks of known commercial entities, permissionless is
impossible, trademarks are guarded by powerful moneyed interests. You
don't get to call your product "Coca Cola" unless you're North Korea and
don't care about commercial relationships with the world at large.
--
Viktor.
